Lucene search
K

161 matches found

Drupal
Drupal
added 2022/07/20 12:0 a.m.37 views

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covere...

6.1CVSS3.3AI score0.00526EPSS
Exploits0References16
Drupal
Drupal
added 2022/02/16 12:0 a.m.61 views

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module which comes with the Standard...

6.5CVSS2.5AI score0.00769EPSS
Exploits0References18
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011

This module provides a very simple, mobile-friendly navigation toolbar. The module doesn't sufficiently check for user-provided input. This vulnerability is mitigated by the fact that an attacker must have the ability to post content using a text format like the default "Filtered HTML" format tha...

6.5AI score
Exploits0References4
Friends Of PHP
Friends Of PHP
added 2020/05/20 1:37 p.m.6 views

Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003

More info at https://www.drupal.org/sa-core-2020-003...

7.2AI score
Exploits0Affected Software1
Drupal
Drupal
added 2020/02/05 12:0 a.m.17 views

Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Views Bulk Operations provides enhancements to running bulk actions on views. The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to. This vulnerability is mitigated by the fact that it only occurs in the case of...

6.9AI score
Exploits0References7
The Hacker News
The Hacker News
added 2019/12/19 2:42 p.m.7 views

Drupal Warns Web Admins to Update CMS Sites to Patch a Critical Flaw

If you haven't recently updated your Drupal-based blog or business website to the latest available versions, it's the time. Drupal development team yesterday released important security updates for its widely used open-source content management software that addresses a critical and three...

6AI score
Exploits0
Drupal
Drupal
added 2019/10/02 12:0 a.m.13 views

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server. The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which m...

6.6AI score
Exploits0References8
Drupal
Drupal
added 2019/08/14 12:0 a.m.5 views

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL. The module did not have protection for the Redirect URL to go where content authors intended...

5.6AI score
Exploits0References8
FreeBSD
FreeBSD
added 2019/05/08 12:0 a.m.36 views

drupal -- Drupal core - Moderately critical

Drupal Security Team reports: CVE-2019-11831: By-passing protection of Phar Stream Wrapper Interceptor. In order to intercept file invocations like fileexists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream...

9.8CVSS0.7AI score0.05586EPSS
Exploits0References1
Cvelist
Cvelist
added 2019/01/15 8:0 p.m.34 views

CVE-2017-6924 REST API can bypass comment approval - Access Bypass - Moderately Critical

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services rest module enabled, the...

8.3AI score0.02102EPSS
Exploits0References3
Drupal
Drupal
added 2018/12/19 12:0 a.m.14 views

E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080

This module allows for integration of Signature Pad, an electronic-signing script, into Drupal for both nodes content, the Field API FAPI, and Webforms. The module doesn't sufficiently filter user input when displaying a signature. The vulnerability is mitigated by the fact that an attacker must...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2018/10/10 12:0 a.m.14 views

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066

NVP field module allows you to create a field type of name/value pairs, with custom titles and easily editable rendering with customizable HTML/text surrounding the pairs. The module doesn't sufficiently handle sanitization of its field formatter's output. This vulnerability is mitigated by the...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2018/09/26 12:0 a.m.5 views

Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061

Taxonomy File Tree allows site managers to create file trees. For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file. This vulnerability only affects sites that use private files...

5.3AI score
Exploits0References7
Drupal
Drupal
added 2018/09/19 12:0 a.m.15 views

Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation e.g. an entity reference field. The components that display related...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2018/08/29 12:0 a.m.20 views

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

This module enables you to use the Bing Autosuggest API. The module doesn't sufficiently sanitize a value used to populate an API request...

6.6AI score
Exploits0References5
Drupal
Drupal
added 2018/07/25 12:0 a.m.9 views

Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value. The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used. This vulnerability is mitigated by th...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2018/07/11 12:0 a.m.13 views

litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and...

6.7AI score
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2018/01/15 12:0 a.m.17 views

Fedora 27 : drupal7-views (2017-25114a9d7f)

7.x-3.18 - 7.x-3.17 - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible...

5.5AI score
Exploits0References2
Drupal
Drupal
added 2017/12/06 12:0 a.m.17 views

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

This module enables you to set nodes to send feedbacks by personal/site wide contact forms. The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Us...

6.4AI score
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2017/09/29 12:0 a.m.17 views

Fedora 25 : drupal7-views (2017-f27641a807)

7.x-3.18 - 7.x-3.17 - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible...

5.5AI score
Exploits0References2
Rows per page
Query Builder