DRUPAL-CONTRIB-2024-044

This module enables users to remain logged in separately from session timeouts. The module doesn't sufficiently check a user's disabled status when validating cookies. This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login...

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently migrate sessions before prompting for a second factor token. This vulnerability is mitigated by the fact that an attacker must fixat...

Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions. The module doesn't sufficiently check revision access before rendering a diff report for 1 nodes or ...

Drupal Persistent Login module < 1.8.0,2.2.0-2.2.1,2.0,2.1 - Authenticated Broken Access Control vulnerability

Authenticated Broken Access Control vulnerability discovered by Geoff Appleby in WordPress Module Persistent Login versions 1.8.0,2.2.0-2.2.1,2.0,2.1...

VulnCheck KEV: CVE-2014-8379

Multiple cross-site scripting XSS vulnerabilities in the Marketo MA module before 7.x-1.5 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to field titles to the 1 Webform or 2 User sub-modules...

Drupal Smart IP Ban module < 7.x-1.1 - Unauthenticated Broken Access Control vulnerability

Unauthenticated Broken Access Control vulnerability discovered by Shawn Gants in WordPress Module Smart IP Ban versions 7.x-1.1...

DRUPAL-CONTRIB-2024-036

This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations modify, delete, duplicate. This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough. Information...

DRUPAL-CONTRIB-2024-035

This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle. The module doesn't properly check the user access to the original entity, allowing users to create a new entity they have permission to create...

DRUPAL-CONTRIB-2024-034

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content. The module doesn't sufficiently check if a user has access to some URLs before rendering them as links. This vulnerability is mitigated by the fact that an attacker must...

Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030

This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths. The module doesn't respect custom node access restrictions implemented through hookENTITYTYPEaccess hooks meaning the titles of restricted nod...

Drupal Opigno TinCan Question Type module < 7.x-1.3 - Authenticated Remote Code Execution (RCE) vulnerability

Authenticated Remote Code Execution RCE vulnerability discovered by Juraj Nemec in WordPress Module Opigno TinCan Question Type versions 7.x-1.3...

DRUPAL-CONTRIB-2024-026

The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes. The module doesn't validate the content of classes. A malicious user with access ...

Drupal View Password module < 6.0.4 - Administrator+ Cross Site Scripting (XSS) vulnerability

Administrator+ Cross Site Scripting XSS vulnerability discovered by Ide Braakman in WordPress Module View Password versions 6.0.4...

DRUPAL-CONTRIB-2024-025

Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance. The module doesn't sufficientl...

Drupal Drupal REST & JSON API Authentication module < 2.0.13 - Authenticated Broken Access Control vulnerability

Authenticated Broken Access Control vulnerability discovered by Arek Suchecki in WordPress Module Drupal REST & JSON API Authentication versions 2.0.13...

DRUPAL-CONTRIB-2024-020

The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form. The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is...

Drupal RESTful Web Services module < 7.x-2.10 - Unauthenticated Broken Access Control vulnerability

Unauthenticated Broken Access Control vulnerability discovered by Fran Garcia-Linares in WordPress Module RESTful Web Services versions 7.x-2.10...

DRUPAL-CONTRIB-2024-014

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations...

DRUPAL-CONTRIB-2024-012

This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission. The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fa...

DRUPAL-CONTRIB-2024-010

This module provides an alternative mean of rebuilding the Content Access table. The module doesn't sufficiently reset the state of content access when the module is uninstalled...