CVSS: 9.8EPSS: 0%CPEs: 39EXPL: 0CVE-2013-4445
https://notcve.org/view.php?id=CVE-2013-4445
07 Dec 2013 — The json rendering functionality in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal uses Drupal's token scheme to restrict access to blocks, which makes it easier for remote authenticated users to guess the access token for a block by leveraging the token from a block to which the user has access. La funcionalidad de renderización de json en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para Drupal utiliza el esquema de tokens de Drupal para re... • http://lists.fedoraproject.org/pipermail/package-announce/2013-November/121433.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 1%CPEs: 39EXPL: 0CVE-2013-4446
https://notcve.org/view.php?id=CVE-2013-4446
07 Dec 2013 — The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. La función _json_decode en plugins/context_reaction_block.inc en el módulo Context 6.x-2.x anteriores a 6.x-3.2 y 7.x-3.x anteriores a 7.x-3.0 para... • http://drupalcode.org/project/context.git/commitdiff/63ef4d9 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 24EXPL: 1CVE-2012-5655
https://notcve.org/view.php?id=CVE-2012-5655
03 Jan 2013 — The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request. El módulo Context v6.x-3.x antes de v6.x-3.1 y v7.x-3.x antes de v7.x-3.0-beta6 para Drupal no restringe adecuadamente el acceso para bloquear el contenido, lo que permite a atacantes remotos obtener información sensible a través de una petición modificada. • http://drupal.org/node/1870550 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.4EPSS: 0%CPEs: 13EXPL: 1CVE-2010-1584
https://notcve.org/view.php?id=CVE-2010-1584
18 May 2010 — Cross-site scripting (XSS) vulnerability in the Context module before 6.x-2.0-rc4 for Drupal allows remote authenticated users, with Administer Blocks privileges, to inject arbitrary web script or HTML via a block description. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Context anterior a v6.x-2.0-rc4 para Drupal permite a usuarios autenticados remotamente, con privilegios "Administer Blocks", inyectar código web o HTML a través de una descripción "block". • http://crackingdrupal.com/blog/greggles/mitigation-against-cve-2010-1584-drupal-context-module-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •