Drupal UC Profile Module Information Disclosure Vulnerability

Drupal is a free, open source content management system developed in PHP and maintained by the Drupal community.UC Profile is one of the modules used to create and configure user profiles and files. An information disclosure vulnerability exists in the Drupal UC Profile module in versions 6.x-1.x...

Petition - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-081

The Petition module enables you to create petitions which users may sign. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

CVE-2015-2087

Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors...

SA-CONTRIB-2013-097 - OG Features - Access bypass

This module enables you to enable and disable bundles of functionality for individual Organic groups. In order to provide this functionality, this module must override all menu callbacks available in the system, in order to delegate access based on the current Organic group you are contextually i...

Drupal Login安全模块安全绕过漏洞

Bugtraq ID:60683 Drupal是一个基于PHP语言编写的开发型CMF（内容管理框架），Drupal Login Security是一个用于Drupal的登录安全模块 Drupal Login Security模块在禁用'soft blocking'时存在安全漏洞，由于模块不正确使用字符串过滤，可导致模块忽略所有检查 0 Drupal Login Security 6.x-1.x Drupal Login Security 7.x-1.x 厂商解决方案 Drupal Login Security 6.x-1.3和7.x-1.3已经修复此漏洞，建议用户下载更新：...

SA-CONTRIB-2012-169 - Email Field - Cross Site Scripting and Access bypass

The email module provides a field type CCK / FieldAPI for storing email addresses and a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is. Access bypa...

SA-CONTRIB-2012-090 - File depot - Session Management Vulnerability

The filedepot module is a Document Management module. It fulfills the need for an integrated file management module supporting role and user based security. Documents can be saved outside the Drupal public directory to protect documents for safe access and distribution. The module has a Session...

SA-CONTRIB-2011-013 - Tagadelic - Cross Site Scripting (XSS)

Tagadelic module offers various ways to display terms and vocabularies in a tag cloud on a page or in a block. The module does not sanitize the taxonomy vocabulary names and descriptions when displayed on listing pages or blocks, leading to a Cross-Site Scripting XSS vulnerability that may lead t...

SA-CONTRIB-2011-006 - Flag Page - Cross Site Scripting (XSS)

The contributed flag page module provides an additional flag type to allow you to flag pages so you can bookmark any URL on your site including views, panels, administration pages or site contact page. The module does not sanitize the flag titles when displayed in blocks, leading to a Cross-Site...

SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities

Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily...

XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3 and 5.x-1.1)

XSS Vulnerability in Drupal's Node Blocks contributed module 6.x-1.3 and 5.x-1.1 Discovered by Martin Barbella [email protected] Description of Vulnerability: ----------------------------- Drupal is a free software package that allows an individual or a community of users to easily publish,...

CVE-2009-4559

CVE-2009-4559 is a Cross-site Scripting (XSS) vulnerability in Drupal’s Submitted By module for the 6.x branch up to version 6.x-1.3. The issue allows remote authenticated users who have "administer content types" privileges to inject arbitrary script or HTML via the text entered in the "submitte...

CVE-2008-2773

Cross-site scripting XSS vulnerability in the Taxonomy Image module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...