10 results (0.006 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

The Post Views Count WordPress plugin through 3.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The Post Views Count plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page • https://wpscan.com/vulnerability/ad163020-8b9c-42cb-a55f-b137b224bafb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0

The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal checks access permissions based on the router path from the view instead of the display property, which allows remote attackers to obtain sensitive information via vectors related to the access handler. Vulnerabilidad en el módulo Administration Views 7.x-1.x en versiones anteriores a 7.x-1.5 para Drupal, comprueba los permisos de acceso basándose en la ruta del router desde view en lugar de la propiedad display, lo que permite a atacantes remotos obtener información sensible a través de vectores relacionados con el manejo de accesos. • http://cgit.drupalcode.org/admin_views/commit/?id=44098bb http://www.securityfocus.com/bid/75697 https://www.drupal.org/node/2529366 https://www.drupal.org/node/2529378 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.9EPSS: 0%CPEs: 13EXPL: 0

The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x-3.3 for Drupal, when the bulk operation for changing Roles is enabled, allows remote authenticated users to edit user accounts and add arbitrary roles to the accounts by leveraging access to a user account listing view with VBO enabled. Vulnerabilidad en el módulo Views Bulk Operations (VBO) 6.x-1.x y 7.x-3.x en versiones anteriores a 7.x-3.3 para Drupal, cuando la operación bulk para cambiar Roles está habilitada, permite a usuarios remotos autenticados editar cuentas de usuario y añadir roles arbtrarios a las cuentas aprovechando el acceso a una vista de un listado de cuentas de usuario con VBO habilitado. • http://www.openwall.com/lists/oss-security/2015/07/04/4 http://www.securityfocus.com/bid/75547 https://www.drupal.org/node/2516680 https://www.drupal.org/node/2516688 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 1

The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors. Vulnerabilidad en el método _views_fetch_data en includes/cache.inc en el módulo Views 7.x-3.5 hasta 7.x-3.10 para Drupal, no reconstruye la caché completa si la caché estática no está vacía, lo que permite a atacantes remotos eludir los filtros previstos y obtener acceso a contenido oculto a través de vectores no especificados. • http://cgit.drupalcode.org/views/commit/?id=cef693b http://www.openwall.com/lists/oss-security/2015/07/04/4 http://www.securityfocus.com/bid/74462 https://www.drupal.org/node/2475669 https://www.drupal.org/node/2480259 https://www.drupal.org/node/2480327 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.0EPSS: 0%CPEs: 5EXPL: 0

The Administration Views module 7.x-1.x before 7.x-1.4 for Drupal, when used with other unspecified modules, does not properly grant access to administration pages, which allows remote administrators to bypass intended restrictions via unspecified vectors. Vulnerabilidad en el módulo Administration Views 7.x-1.x en versiones anteriores a 7.x-1.4 para Drupal, cuando se utiliza con otros módulos no especificados, no garantiza adecuadamente acceso a las páginas de administración, lo que permite a administradores remotos eludir las restricciones previstas a través de vectores no especificados. • http://www.openwall.com/lists/oss-security/2015/07/04/4 http://www.securityfocus.com/bid/75278 https://www.drupal.org/node/2430043 https://www.drupal.org/node/2507645 • CWE-264: Permissions, Privileges, and Access Controls •