158 matches found
CVE-2024-13250
CVE-2024-13250 maps to Drupal Symfony Mailer Lite CSRF vulnerability. Affected versions are 0.0.0 up to 1.0.5/1.0.6, with 1.0.6 as the fixed release. The issue allows CSRF exploitation in Drupal Symfony Mailer Lite, potentially enabling an attacker to perform unwanted actions on behalf of an auth...
CVE-2024-13247
CVE-2024-13247 concerns the Drupal Coffee module (versions 0.0.0 through 1.3.x; prior to 1.4.0). The root cause is improper neutralization/escaping of user input during web page generation, leading to Cross-Site Scripting (XSS) when Coffee renders certain content. The public documentation consist...
CVE-2024-13243 Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007
Missing Authorization vulnerability in Drupal Entity Delete Log allows Forceful Browsing.This issue affects Entity Delete Log: from 0.0.0 before 1.1.1...
CVE-2024-13238 Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal Typogrify allows Cross-Site Scripting XSS.This issue affects Typogrify: from 0.0.0 before 1.3.0...
CVE-2024-13237
CVE-2024-13237 affects Drupal File Entity (fieldable files). The vulnerability arises from improper neutralization of input during web page generation, enabling Cross-Site Scripting (XSS) for File Entity versions 7.X-* up to but not including 7.X-2.38. The issue is discussed in SA-CONTRIB-2024-00...
Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020
The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form. The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is...
Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012
This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission. The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fa...
Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049
This module enables you to view all paragraph entities in an admin view. The module contains an access bypass that allows non admin users to access the view. The vulnerability can be mitigated by editing the view to change the permission required to access the page...
Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028
This module enables you to render a field in an expandable/collapsible region. The module doesn't sufficiently sanitize the field content when displaying it to an end user. This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the fiel...
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002
The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files. This release was coordinated with SA-CONTRIB-2023-010. This advisory is not covered by Drupal Steward...
Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010
The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image. This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to. This release was coordinated...
Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004
This module enables you to use the media library in custom forms without the Media Library Widget. The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The...
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001
The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The vulnerability is mitigated by the fact that the inaccessible media will only be visib...
Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003
The Media Library Block module allows you to render a media entity in a block. The module does not properly check media access in some circumstances. This may result in unauthorized users including anonymous users seeing media items they are not authorized to access if a block containing a...
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061
Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations. In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only secret" visibility, community groups are visible to anonymous use...
Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053
This module enables you to accept payments from the Elavon payment provider. The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon On-site payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment...
Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013
More info at https://www.drupal.org/sa-core-2022-013...
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covere...
Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module which comes with the Standard...
Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011
This module provides a very simple, mobile-friendly navigation toolbar. The module doesn't sufficiently check for user-provided input. This vulnerability is mitigated by the fact that an attacker must have the ability to post content using a text format like the default "Filtered HTML" format tha...