450 matches found
OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate the uniqueness of certain...
DRUPAL-CONTRIB-2026-016
This module integrates with Islandora, an open-source digital asset management DAM framework. Islandora integrates with various open-source services, which can be run in a distributed environment. The module doesn't sufficiently sanitize URI paths for its custom route used for attaching media to...
Responsive Favicons - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-019
This module adds the favicons generated by realfavicongenerator.net to your Drupal site. The module does not filter administrator-entered text, leading to a persistent Cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
PT-2026-22090
Name of the Vulnerable Software and Affected Versions Drupal Responsive Favicons versions prior to 2.0.2 Description A flaw exists in the Drupal Responsive Favicons module where administrator-entered text is not properly filtered, leading to a Cross-Site Scripting XSS issue. An attacker must...
PT-2026-22089
Name of the Vulnerable Software and Affected Versions Drupal SAML SSO - Service Provider versions prior to 3.1.3 Description The Drupal SAML SSO - Service Provider module does not properly sanitize user input, leading to a reflected Cross-Site Scripting XSS issue. This allows attackers to inject...
SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018
This module enables you to perform SAML protocol-based single sign-on SSO on a Drupal site. The module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting XSS vulnerability...
CVE-2026-0948
The CVE-2026-0948 vulnerability affects the Drupal Microsoft Entra ID SSO Login module for Drupal, where insufficient validation of responses from the Microsoft Entra ID service allows an authentication bypass. This can lead to complete account takeover of any user, including site administrators,...
DRUPAL-CONTRIB-2026-008
The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. default: If they provide the access key and have a specific role they can log in. The module does not check for the access key when using the HTTP...
PT-2026-6344
The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. default: If they provide the access key and have a specific role they can log in. The module does not check for the access key when using the HTTP...
Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008
The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. default: http://example.com/user/login?admin If they provide the access key and have a specific role they can log in. The module does not check for...
CVE-2025-13986
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass.This issue affects Disable Login Page: from 0.0.0 before 1.1.3...
PT-2026-5243
Name of the Vulnerable Software and Affected Versions Drupal Central Authentication System CAS Server versions prior to 2.0.3 Drupal Central Authentication System CAS Server versions 2.1.0 through 2.1.1 Description The Central Authentication System CAS Server module for Drupal does not adequately...
DRUPAL-CONTRIB-2026-005
This module enables Drupal sites to authenticate users via Microsoft Entra ID formerly Azure AD using OAuth 2.0. The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials o...
DRUPAL-CONTRIB-2026-002
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user...
Microsoft Entra ID SSO Login - Critical - Access bypass - SA-CONTRIB-2026-005
This module enables Drupal sites to authenticate users via Microsoft Entra ID formerly Azure AD using OAuth 2.0. The module doesn't sufficiently validate API responses from Microsoft allowing complete account takeover of any user, including site administrators, without requiring any credentials o...
PT-2026-3747
Name of the Vulnerable Software and Affected Versions Drupal Microsoft Entra ID SSO Login versions prior to 1.0.4 Description The Microsoft Entra ID SSO Login module for Drupal does not properly validate responses received from the Microsoft Entra ID service. This insufficient validation can lead...
CVE-2009-4516
Cross-site scripting XSS vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2009-4534
Open redirect vulnerability in the FAQ Ask module 5.x and 6.x before 6.x-2.0, a module for Drupal, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors...
CVE-2009-4514
Cross-site scripting XSS vulnerability in the OpenSocial Shindig-Integrator module 5.x and 6.x before 6.x-2.1, a module for Drupal, allows remote authenticated users, with "create application" privileges, to inject arbitrary web script or HTML via unspecified vectors...
CVE-2009-4520
The CCK Comment Reference module 5.x before 5.x-1.2 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to bypass intended access restrictions and read comments by using the autocomplete path...