CVE-2021-21438 – FAQ articles are shown to users without permission
https://notcve.org/view.php?id=CVE-2021-21438
Agents are able to see linked FAQ articles without permissions (defined in FAQ Category). This issue affects: FAQ version 6.0.29 and prior versions, OTRS version 7.0.24 and prior versions. Los agentes pueden ser capaces de visualizar artículos de FAQ vinculados sin permisos (definidos en la categoría FAQ). Este problema afecta a: FAQ versión 6.0.29 y anteriores, OTRS versión 7.0.24 y anteriores • https://otrs.com/release-notes/otrs-security-advisory-2021-08 • CWE-264: Permissions, Privileges, and Access Controls CWE-276: Incorrect Default Permissions •
CVE-2012-1646
https://notcve.org/view.php?id=CVE-2012-1646
Multiple cross-site scripting (XSS) vulnerabilities in the FAQ module 6.x-1.x before 6.x-1.13 and 7.x-1.x-rc1 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via the (1) title parameter in faq.admin.inc or (2) detailed_question parameter in faq.module. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo FAQ v6.x-1.x antes de v6.x-1.13 y v7.x-1.x-rc1 para Drupal, permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML a través del parámetro (1) title en faq.admin.inc o (2) el parámetro detailed_question en faq.module. • http://drupal.org/node/1451194 http://drupalcode.org/project/faq.git/blobdiff/2991dd94e70a2881571a4b777645f4dcc42c1f10..912f1d2:/faq.module http://drupalcode.org/project/faq.git/blobdiff/525fb85e5a43cb6cfe3028aa88eaf8a6e40548d5..f381756:/faq.admin.inc http://drupalcode.org/project/faq.git/commit/912f1d2 http://drupalcode.org/project/faq.git/commit/f381756 http://osvdb.org/79466 http://secunia.com/advisories/48131 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •