14 matches found
Next.js - Critical - Access bypass - SA-CONTRIB-2025-122
This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...
CVE-2025-12083 CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal CivicTheme Design System allows Cross-Site Scripting XSS.This issue affects CivicTheme Design System: from 0.0.0 before 1.12.0...
CVE-2025-10930 Currency - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-110
Cross-Site Request Forgery CSRF vulnerability in Drupal Currency allows Cross Site Request Forgery.This issue affects Currency: from 0.0.0 before 3.5.0...
CVE-2025-9554 Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104
Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2:...
CVE-2025-9552
CVE-2025-9552 concerns the Drupal module Synchronize composer.Json With Contrib Modules . Public descriptions in connected documents indicate a vulnerability affecting the module in general (versions not specified). The NVD/NVD-derived metrics show a CVSS 3.1 base score of 5.3 (Medium) with an at...
Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098
This module allows users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module did not protect all possible login paths provided by core modules. CVSS risk score experimental 6.3 / Medium...
CVE-2025-8996 Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097
Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0...
CVE-2025-6675 Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0., from 0.0.0 before 5.1...
CVE-2025-47701 Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047
Cross-Site Request Forgery CSRF vulnerability in Drupal Restrict route by IP allows Cross Site Request Forgery.This issue affects Restrict route by IP: from 0.0.0 before 1.3.0...
CVE-2025-3739
CVE-2025-3739 : A vulnerability in Drupal 8 Google Optimize Hide Page affects the Drupal 8 Google Optimize Hide Page module. The CVSSv3.1 metrics indicate a network attack vector, high attack complexity, and that an attacker requires high privileges with no user interaction to achieve a Confident...
CVE-2025-3061 Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006
Vulnerability in Drupal Material Admin.This issue affects Material Admin:...
CVE-2025-3060 Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005
Vulnerability in Drupal Flattern – Multipurpose Bootstrap Business Profile.This issue affects Flattern – Multipurpose Bootstrap Business Profile:...
OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013
This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling a client. This vulnerability is mitigated by the fact that an...
Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011
This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't have the "restrict access" flag on the "administer googletagcontainer" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicio...