JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are...

CVE-2014-1399

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on referenced entities via unspecified vectors...

CVE-2014-1398

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via unspecified vectors...

CVE-2014-1398

The entity wrapper access API in the Entity API module 7.x-1.x before 7.x-1.3 for Drupal might allow remote authenticated users to bypass intended access restrictions on comment, user and node statistics properties via unspecified vectors...

CVE-2014-1398

CVE-2014-1398 affects Drupal: the Entity API module (7.x-1.x) before 7.x-1.3 may let remote authenticated users bypass access restrictions on comment, user and node statistics properties via unspecified vectors. Connected documents confirm fixes in 7.x-1.3 (e.g., Fedora updates for drupal7-entity...

CVE-2014-1400

CVE-2014-1400 affects Drupal’s Entity API module (7.x-1.x) before 7.x-1.3. The entity_access API flaw could allow remote authenticated users to bypass access restrictions and read unpublished comments via unspecified vectors. The issue has a published remediation: upgrade to 7.x-1.3. If exploitat...

CVE-2015-5498

The Shipwire Drupal module 7.x-1.x is vulnerable (before 7.x-1.03) because it does not enforce the view permission for the shipments overview (admin/shipwire/shipments), allowing remote access to sensitive information. Affected: Shipwire 7.x-1.x prior to 7.x-1.03. Exploitation details are not pro...

CVE-2015-5498

The Shipwire API module 7.x-1.x before 7.x-1.03 for Drupal does not check the view permission for the shipments overview admin/shipwire/shipments, which allows remote attackers to obtain sensitive information via a request to the page...

Shipwire - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111

The Shipwire API module handles communication with the Shipwire shipping service. The Shipwire module doesn't check view permission for the shipments overview page when installed admin/shipwire/shipments. Limited non-public information is displayed on the page. CVE identifiers issued CVE-2015-549...

CVE-2015-2197

Cross-site scripting XSS vulnerability in the Entity API module before 7.x-1.6 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a field label in the Token API...

Drupal Entity API Module Field Label Cross-Site Scripting Vulnerability

Drupal is an open source content management platform. A cross-site scripting vulnerability exists in the Drupal Entity API module field labels due to the program failing to properly filter user-supplied input. An attacker could be allowed to exploit this vulnerability to steal cookie-based...

Design/Logic Flaw

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the a Views field or b area plugins, allows remote attackers to read restricted entities via the 1 field, 2 header, or 3 footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher...

CVE-2013-4273

The Drupal Entity API module (7.x-1.x) before 7.x-1.2 fails to properly enforce access restrictions for node comments when used with Views field/area plugins, allowing remote authenticated users to read restricted comments via a View (and is split from CVE-2013-4273’s View vector). The issue spec...

CVE-2013-7391

The vulnerability CVE-2013-7391 affects the Drupal contributed Entity API module (7.x-1.x) prior to 7.x-1.2. When using the Views field or area plugins, it allows remote attackers to read restricted entities via the View’s field, header, or footer. This is caused by insufficient access checks in ...

CVE-2013-7391

The Entity API module 7.x-1.x before 7.x-1.2 for Drupal, when using the a Views field or b area plugins, allows remote attackers to read restricted entities via the 1 field, 2 header, or 3 footer of a View. NOTE: this identifier was SPLIT from CVE-2013-4273 per ADT5 due to different researcher...

CVE-2013-5559

Buffer overflow in the Active Template Library ATL framework in the VPNAPI COM module in Cisco AnyConnect Secure Mobility Client 2.x allows user-assisted remote attackers to execute arbitrary code via a crafted HTML document, aka Bug ID CSCuj58139...

CVE-2013-0181

Cross-site scripting XSS vulnerability in Views in the Search API searchapi module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message...

Cross site scripting

Cross-site scripting XSS vulnerability in Views in the Search API searchapi module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message...

Cross site request forgery (csrf)

Multiple cross-site request forgery CSRF vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that 1 enable a server via a server action or 2 enable a search index via an enable index action...

CVE-2012-2712

CVE-2012-2712 affects Drupal’s Search API module (7.x-1.x) up to version 7.x-1.1. The issue is a failure to sufficiently sanitize user input when throwing exceptions or logging errors, enabling remote attackers to inject arbitrary scripts via crafted URLs. Impact is cross-site scripting (XSS) in ...