161 matches found
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covere...
Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module which comes with the Standard...
Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011
This module provides a very simple, mobile-friendly navigation toolbar. The module doesn't sufficiently check for user-provided input. This vulnerability is mitigated by the fact that an attacker must have the ability to post content using a text format like the default "Filtered HTML" format tha...
Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003
More info at https://www.drupal.org/sa-core-2020-003...
Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003
Views Bulk Operations provides enhancements to running bulk actions on views. The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to. This vulnerability is mitigated by the fact that it only occurs in the case of...
Drupal Warns Web Admins to Update CMS Sites to Patch a Critical Flaw
If you haven't recently updated your Drupal-based blog or business website to the latest available versions, it's the time. Drupal development team yesterday released important security updates for its widely used open-source content management software that addresses a critical and three...
Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072
This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server. The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which m...
External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063
The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL. The module did not have protection for the Redirect URL to go where content authors intended...
drupal -- Drupal core - Moderately critical
Drupal Security Team reports: CVE-2019-11831: By-passing protection of Phar Stream Wrapper Interceptor. In order to intercept file invocations like fileexists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream...
CVE-2017-6924 REST API can bypass comment approval - Access Bypass - Moderately Critical
In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services rest module enabled, the...
E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080
This module allows for integration of Signature Pad, an electronic-signing script, into Drupal for both nodes content, the Field API FAPI, and Webforms. The module doesn't sufficiently filter user input when displaying a signature. The vulnerability is mitigated by the fact that an attacker must...
NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066
NVP field module allows you to create a field type of name/value pairs, with custom titles and easily editable rendering with customizable HTML/text surrounding the pairs. The module doesn't sufficiently handle sanitization of its field formatter's output. This vulnerability is mitigated by the...
Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061
Taxonomy File Tree allows site managers to create file trees. For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file. This vulnerability only affects sites that use private files...
Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060
This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation e.g. an entity reference field. The components that display related...
Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058
This module enables you to use the Bing Autosuggest API. The module doesn't sufficiently sanitize a value used to populate an API request...
Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054
This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value. The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used. This vulnerability is mitigated by th...
litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050
This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and...
Fedora 27 : drupal7-views (2017-25114a9d7f)
7.x-3.18 - 7.x-3.17 - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible...
Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092
This module enables you to set nodes to send feedbacks by personal/site wide contact forms. The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Us...
Fedora 25 : drupal7-views (2017-f27641a807)
7.x-3.18 - 7.x-3.17 - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible...