Spotlight - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-142

The Spotlight module provides a tool that mimics Mac OS X Spotlight functionality. It provides faster access to content, paths and uploaded files. The module doesn't sufficiently sanitize node titles when displayed in results. This vulnerability is mitigated by the fact that an attacker must have...

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)

Node Field module allows you to add custom extra fields to single Drupal nodes. The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes. CVE...

SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass

The Webform component module enables site admins to limit visibility or editability of webform components based on user roles. The module doesn't sufficiently check that disabled component values are not modified upon submission of the form. CVE identifiers issued CVE-2014-9022 Versions affected...

SA-CONTRIB-2014-066 - Node Access Keys - Access Bypass

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. It was found that unpublished nodes of content types that that did not have an access key were visible to all. Also, If an unpublished node of a content type that was protected by ...

SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass

This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module. The module doesn't sufficiently verify the user has access to modify the entity the field is...

SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Access bypass User module search - Drupal 6 and 7 A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users. This...

SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

Multiple vulnerabilities were discovered in Drupal core. Arbitrary PHP code execution A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PH...

SA-CONTRIB-2012-111 - Security Questions - Access Bypass

This module provides administrator configurable challenge questions for use during the log in and password reset processes. The module doesn't perform a proper access check, allowing a users' questions and answers to be edited by other users including anonymous users. CVE: CVE-2012-4475 Versions...

SA-CONTRIB-2011-017 - Save Draft - Validation Bypass

The Save Draft module adds a "Save as draft" button to the node form, letting content creators easily save a post in unpublished draft form. The module adds validation to individual form actions, thereby bypassing any form-wide validation that is normally performed before saving content. This is ...

SA-2008-073 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal. Cross site request forgery The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser user 1 to execute old updates that may damage the database. Cross site scripting When an input...