Login Disable - Access Bypass - Moderately Critical - SA-CONTRIB-2015-162

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module doesn't support other contributed user authentication modules like CAS or URL Login. When combined with...

SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting (XSS)

SMS Framework module enables you to send and receive SMS messages from and into Drupal. The module doesn't sufficiently sanitize user supplied text in message previews, thereby exposing a reflected Cross Site Scripting vulnerability. An attacker could exploit this vulnerability by getting the...

SA-CONTRIB-2011-032 - Mail Logger - Cross Site Scripting

The Mail Logger module logs all outgoing e-mails and provides users with the "access mail logger" permission to view logged e-mails. The module does not sanitize the log output of addressee information, subject, and body, leading to a Cross-Site Scripting XSS vulnerability that may lead to a...

SA-CONTRIB-2011-024 - Spam - Cross Site Request Forgery (CSFR)

The Spam module provides numerous tools to auto-detect and deal with spam content that is posted to your site, without having to rely on third-party services. The Spam module provides a trainable Bayesian filter, automatic learning of spammer URLs, flagging of content with an excessive number of...

SA-CONTRIB-2011-016 - Node Quick Find - Information Disclosure

The Node Quick Find module provides a block to quickly access nodes by title via an auto-completing text field. The module does not use dbrewritesql when generating the list of node titles, allowing users to see the titles of nodes to which they may not have access. Access to the node itself is n...

SA-CONTRIB-2010-074 - Drupad - Cross-site request forgery

The Drupad module is the companion module of the iPhone / iPodTouch application also called Drupad. The module doesn't check if the incoming request is made from the application, leading to a CSRF vulneraby. This vulnerability can be used to delete users and content, or set the site in offline mo...

SA-CONTRIB-2010-032 - Taxonomy Breadcrumb - Cross Site Scripting (XSS)

The Taxonomy Breadcrumb module generates taxonomy based breadcrumbs on node pages and taxonomy/term pages. This module does not properly sanitize taxonomy term name and, for 6.x, node titles when displayed in breadcrumbs, leading to a Cross Site Scripting XSS vulnerability. XSS vulnerabilities ma...

SA-CONTRIB-2009-092 - S5 Presentation Player Cross Site Scripting

The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site. The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user...

SA-CONTRIB-2009-028 - Feed Block - Cross Site Scripting

The Feed Block module creates a block with one externalsyndicated article for each feed source from selected feed category. Feed block doesn't properly escapes aggregator items allowing users with administer news feeds permission to inject arbitrary code into the site. Such a cross site scripting...

SA-CONTRIB-2009-015 - Tokenauth - Access bypass

The Token authentication module allows access to RSS feeds via a token without having to provide your username and password to the site. Token authentication did not properly use the Drupal Form API which would allow a malicious user to learn the site administrator's token giving them the ability...