DRUPAL-CONTRIB-2023-008

This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics...

DRUPAL-CONTRIB-2023-006

This module enables you to add social sharing buttons to a site. The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...

DRUPAL-CONTRIB-2023-003

The Media Library Block module allows you to render a media entity in a block. The module does not properly check media access in some circumstances. This may result in unauthorized users including anonymous users seeing media items they are not authorized to access if a block containing a...

DRUPAL-CONTRIB-2022-062

Social Private Message module allows users on the platform to allow users to send private messages to each other. The module does not properly perform the correct access checks for certain operations...

DRUPAL-CONTRIB-2022-058

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions. The module doesn't sufficiently apply access restrictions when using the filters field\label, field\value...

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2022-057

This module enables you to utilize S3-compatible storage as a Drupal filesystem. The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket. This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary...

DRUPAL-CONTRIB-2022-055

This module enables you to restrict content via taxonomy terms and related permissions. The module doesn't sufficiently restrict cached content in certain circumstances. This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module...

DRUPAL-CONTRIB-2022-053

This module enables you to accept payments from the Elavon payment provider. The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon On-site payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment...

DRUPAL-CONTRIB-2022-050

This module enables you to generate PDF versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes...

DRUPAL-CONTRIB-2022-046

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page. The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

DRUPAL-CONTRIB-2022-029

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS. The module was providing too much user information about users such as the list of groups a uid is in...

DRUPAL-CONTRIB-2022-023

This module enables you to manage and delete files. The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created. To mitigate this issue without...

DRUPAL-CONTRIB-2022-019

This module provides a stream wrapper for files located in the vendor directory. Even when the vendor directory is moved outside the webroot, it allows providing publically accessible URLs to these files. The module exposes all files that are in the vendor directory, without a site owner's...

DRUPAL-CONTRIB-2022-006

Update 2022-03-01. New maintainers have volunteered for the project and created a new release which includes fixes for the 3 security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has n...

DRUPAL-CONTRIB-2022-001

This module enables you to login with an email address. The module doesn't sufficiently check if a user account is active when using email login. This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked...

DRUPAL-CONTRIB-2021-047

This modules enables users to login via email address. This module does not sufficiently check user status when authenticating...

DRUPAL-CONTRIB-2021-044

This module enables users to authenticate through their Microsoft Azure AD account. The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account. This...

Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043

This module enables aklump/loftdatagrids to be used as a Drupal module. Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: CVE-2018-19277: PHPOffice/PhpSpreadsheet771. Excel support has since been...

DRUPAL-CONTRIB-2021-040

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not use CSRF tokens to protect routes for saving menu configurations. This vulnerability can be exploited by an anonymous user...

DRUPAL-CONTRIB-2021-036

This module provides a solution to authenticate visitors using existing SAML providers. Certain non-default configurations allow a malicious user to login as any chosen user. The vulnerability is mitigated by the module's default settings which require the options "Either sign SAML assertions" an...