4 results (0.003 seconds)

CVSS: 5.0EPSS: 0%CPEs: 35EXPL: 0

The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspecified vectors. El módulo Forward v6.x-1.x anterior a v6.x-1.21 y v7.x-1.x anterior a v7.x-1.3 para Drupal no aplica correctamente los permisos para (1) reenvíos 'Recent' (2) enviado 'Most', o (3) bloques 'Dynamic', lo que permite a atacantes remotos obtener títulos de nodos a través de vectores no especificados. • http://drupal.org/node/1423722 http://drupal.org/node/1425150 http://osvdb.org/78817 http://secunia.com/advisories/47851 http://www.securityfocus.com/bid/51826 https://exchange.xforce.ibmcloud.com/vulnerabilities/72920 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 6.0EPSS: 0%CPEs: 35EXPL: 0

Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that increase node rankings via the tracking code, possibly related to improper "flood control." Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la funcionalidad 'clickthrough tracking' en el módulo Forward v6.x-1.x anterior a v6.x-1.21 y v7.x-1.x anterior a v7.x-1.3 para Drupal permite a atacantes remotos secuestras la autenticación para administradores para peticiones de incremento de la clasificación del nodo a través de un código de seguimiento, posiblemente relacionado con un control incorrecto. • http://drupal.org/node/1423722 http://drupal.org/node/1425150 http://drupalcode.org/project/forward.git/commitdiff/72158fdbfbf5a068938985e3d10ce1d8f969d9c3 http://osvdb.org/78817 http://secunia.com/advisories/47851 http://www.securityfocus.com/bid/51826 https://exchange.xforce.ibmcloud.com/vulnerabilities/72922 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0

An administration page in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal does not perform the expected access control, which allows remote attackers to read log information via unspecified vectors. Una página de administración del módulo de integración de Drupal NGP COO/CWP v6.x (crmngp) antes de v6.x-1.12 no realiza el control de acceso esperado, lo que permite leer a atacantes remotos la información de registro a través de vectores no especificados. • http://drupal.org/node/623506 http://drupal.org/node/623546 http://osvdb.org/59677 http://secunia.com/advisories/37287 http://www.securityfocus.com/bid/36927 https://exchange.xforce.ibmcloud.com/vulnerabilities/54153 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 0%CPEs: 12EXPL: 0

Cross-site scripting (XSS) vulnerability in the NGP COO/CWP Integration (crmngp) module 6.x before 6.x-1.12 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified "user-supplied information." Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo para Drupal NGP COO/CWP Integration (crmngp) v6.x anterior a v6.x-1.12, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de informaión dada por el usuario no especificada. • http://drupal.org/node/623506 http://drupal.org/node/623546 http://osvdb.org/59676 http://secunia.com/advisories/37287 http://www.securityfocus.com/bid/36927 https://exchange.xforce.ibmcloud.com/vulnerabilities/54151 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •