3 results (0.016 seconds)

CVSS: 2.1EPSS: 0%CPEs: 27EXPL: 1

Cross-site scripting (XSS) vulnerability in the password_policy_admin_view function in password_policy.admin.inc in the Password Policy module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer policies" permission to inject arbitrary web script or HTML via the "Password Expiration Warning" field to the admin/config/people/password_policy/add page. Vulnerabilidad Cross-site scripting (XSS) en la función password_policy_admin_view en password_policy.admin.inc en el módulo Password Policy v6.x-1.x anterior a v6.x-1.6 y v7.x-1.x anterior a v7.x-1.5 para Drupal, lo que permite a usuarios remotos autenticados con el permiso "Administer policies" inyectar secuencias de comandos web o HTML arbitrarias a través del campo "Password Expiration Warning" en la página admin/config/people/password_policy/add. • http://www.madirish.net/557 http://www.openwall.com/lists/oss-security/2013/08/22/2 http://www.securityfocus.com/bid/61780 https://drupal.org/node/2065241 https://drupal.org/node/2065387 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 24EXPL: 0

The Password policy module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to obtain password hashes by sniffing the network, related to "client-side password history checks." El módulo Password policy v6.x-1.x antes de v6.x-1.5 y v7.x-1.x antes de v7.x-1.3 para Drupal permite a atacantes remotos obtener resúmenes de contraseñas esnifando la red, relacionado con "verificación del historial de contraseñas del lado de cliente" • http://drupal.org/node/1828130 http://drupal.org/node/1828142 http://drupal.org/node/1828340 http://www.openwall.com/lists/oss-security/2012/11/20/4 http://www.securityfocus.com/bid/56350 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 1

Cross-site request forgery (CSRF) vulnerability in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote attackers to hijack the authentication of administrative users for requests that unblock a user. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el módulo Password Policy anterior a versiones 6.x hasta 1.4 y 7.x hasta 1.0 beta3 para Drupal, permite a los atacantes remotos secuestrar la autenticación de usuarios administrativos para peticiones que desbloqueen a un usuario. • http://drupal.org/node/1401678 http://drupalcode.org/project/password_policy.git/commit/3c688c3b4a3ed96fdc4b89883595633338c7ebb6 http://secunia.com/advisories/47541 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51385 • CWE-352: Cross-Site Request Forgery (CSRF) •