2 results (0.008 seconds)

CVSS: 5.0EPSS: 0%CPEs: 23EXPL: 0

The Janrain Engage (formerly RPX) module for Drupal 6.x-1.x. 6.x-2.x before 6.x-2.2, and 7.x-2.x before 7.x-2.2 stores user profile data from Engage in session tables, which might allow remote attackers to obtain sensitive information by leveraging a separate vulnerability. El módulo para Drupal The Janrain Engage (formerly RPX) v6.x-1.x. v6.x-2.x antes de v6.x-2.2 y v7.x 2.x antes v7.x-2.2 almacena los datos de perfil de usuario de Engage en las tablas de sesión, lo que podría permitir a atacantes remotos obtener información sensible mediante el aprovechamiento de una vulnerabilidad separada. • http://drupal.org/node/1515114 http://drupal.org/node/1515120 http://drupal.org/node/1515282 http://www.openwall.com/lists/oss-security/2012/04/10/12 http://www.openwall.com/lists/oss-security/2012/05/03/1 http://www.openwall.com/lists/oss-security/2012/05/03/2 https://exchange.xforce.ibmcloud.com/vulnerabilities/74616 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0

The Janrain Engage (formerly RPX) module 6.x-1.3 for Drupal does not validate the file for a profile image, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site. El módulo Janrain Engage (anteriormente RPX) versiones 6.x hasta 1.3 para Drupal, no comprueba el archivo para una imagen de perfil, lo que permite a los usuarios identificados remotos conducir ataques de tipo cross-site scripting (XSS) y posiblemente ejecutar código PHP arbitrario para causar que un avatar especialmente diseñado se descargue desde un sitio de proveedor de inicio de sesión externo. • http://drupal.org/node/1033154 http://osvdb.org/70623 http://secunia.com/advisories/42980 http://www.securityfocus.com/bid/45926 https://exchange.xforce.ibmcloud.com/vulnerabilities/64847 https://exchange.xforce.ibmcloud.com/vulnerabilities/64848 • CWE-20: Improper Input Validation •