453 matches found
DRUPAL-CONTRIB-2025-106
This module enables you to store and display JSON data using optional 3rd party libraries. The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting XSS vulnerability...
Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111
This module allows you to specify an HTTP header name to determine the client's IP address. The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings'reverseproxy' is set to TRUE and $settings'reverseproxyaddresses' is configured. This vulnerability...
Drupal Access code module < 2.0.5 - Authenticated Broken Access Control vulnerability
Authenticated Broken Access Control vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Access code versions 2.0.5...
DRUPAL-CONTRIB-2025-105
This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site. The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability. This...
DRUPAL-CONTRIB-2025-100
This module enables you to to easily create and manage faceted search interfaces. The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...
Linux Distros Unpatched Vulnerability : CVE-2020-13677
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass...
CVE-2025-8362 GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting XSS.This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0...
CVE-2025-8362 GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting XSS.This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0...
Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
This module enables users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow. The module doesn't sufficiently validate authentication under specific...
DRUPAL-CONTRIB-2025-093
This module enables you to access an edit page for a config page. The module doesn't sufficiently check the access permissions hookENTITYTYPEaccess wasn't taken into account. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" an...
Drupal GoogleTag Manager module < 1.10.0 - Authenticated Cross Site Scripting (XSS) vulnerability
Authenticated Cross Site Scripting XSS vulnerability discovered by Pierre Rudloff prudloff in WordPress Module GoogleTag Manager versions 1.10.0...
GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094
This module enables you to integrate Google Tag Manager GTM into your Drupal site by allowing administrators to configure and embed GTM container snippets. The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters...
Drupal COOKiES Consent Management module < 1.2.16 - Authenticated Cross Site Scripting (XSS) vulnerability
Authenticated Cross Site Scripting XSS vulnerability discovered by Pierre Rudloff prudloff in WordPress Module COOKiES Consent Management versions 1.2.16...
Drupal Real-time SEO for Drupal module 2.0.0-2.1.0 - Unauthenticated Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS vulnerability discovered by Pierre Rudloff prudloff in WordPress Module Real-time SEO for Drupal versions 2.0.0-2.1.0...
Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091
This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like. The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack. This...
DRUPAL-CONTRIB-2025-088
This module enables users to login by email address with the minimal configurations. The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an...
DRUPAL-CONTRIB-2025-087
This module provides a format filter, which allows you to "disable" iframes e.g. remove their src attribute specified by the user. These elements will be enabled again, once the Cookies banner is accepted. The module doesn't sufficiently filter user-supplied content when their value might contain...
PT-2025-26964 · Drupal · Enterprise Mfa - Tfa For Drupal
Name of the Vulnerable Software and Affected Versions: Enterprise MFA - TFA for Drupal versions 0.0.0 through 4.8.0 Enterprise MFA - TFA for Drupal versions 5.2.0 through 5.2.0 Enterprise MFA - TFA for Drupal versions 0.0.0 through 5.0. Enterprise MFA - TFA for Drupal versions 0.0.0 through 5.1...
DRUPAL-CONTRIB-2025-082
The module enables you to add second-factor authentication on top of the default Drupal login. The module does not sufficiently ensure that known authorization routes are protected. This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password...
DRUPAL-CONTRIB-2025-078
GLightbox module is a pure Javascript lightbox for CKEditor. The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...