CVSS: 5.0EPSS: 0%CPEs: 31EXPL: 0CVE-2010-2352
https://notcve.org/view.php?id=CVE-2010-2352
The Node Reference module in Content Construction Kit (CCK) module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes. El módulo "Node Reference" (referencia de nodo) en el módulo "Content Construction Kit" (CCK o kit de construcción de contenido) v5.x en versiones anteriores a la v5.x-1.11 y v6.x en versiones anteriores a la v6.x-2.7 para Drupal no realiza comprobaciones de acceso antes de mostrar los nodos referenciados, lo que permite a atacantes remotos leer los nodos controlados. • http://drupal.org/node/829566 http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043100.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043172.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043191.html http://osvdb.org/65615 http://secunia.com/advisories/40243 http://secunia.com/advisories/40318 http://www.vupen.com/english/advisories/2010/1546 https://exchange.xforce.ibmcloud.com/vulnerabilities/59515 • CWE-20: Improper Input Validation •
CVSS: 3.5EPSS: 0%CPEs: 12EXPL: 0CVE-2008-6972
https://notcve.org/view.php?id=CVE-2008-6972
Multiple cross-site scripting (XSS) vulnerabilities in Drupal Content Construction Kit (CCK) 5.x through 5.x-1.8 allow remote authenticated users with "administer content" permissions to inject arbitrary web script or HTML via the (1) "field label," (2) "help text," or (3) "allowed values" settings. Vulnerabilidad múltiple de ejecución de secuencias de comandos en sitios cruzados - XSS - en Drupal Content Construction Kit (CCK) v5.x hasta v5.x-1.8 permite a los usuarios remotos autenticados con permisos "administrar contenido" inyectar arbitrariamente una secuencia de comandos web o HTML a través de los parámetros (1) "field label," (2) "help text," o (3) "allowed values". • http://drupal.org/node/304093 http://osvdb.org/47929 http://secunia.com/advisories/31757 http://www.securityfocus.com/bid/31027 https://exchange.xforce.ibmcloud.com/vulnerabilities/44915 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •