SA-CONTRIB-2014-100 - Bad Behavior - Information Disclosure

This module enables you to to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts. Information Disclosure The module doesn't sufficiently sanitize log data, allowing...

UBUNTU-CVE-2014-5267

modules/openid/xrds.inc in Drupal 6.x before 6.33 and 7.x before 7.31 allows remote attackers to have unspecified impact via a crafted DOCTYPE declaration in an XRDS document...

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates. User input is n...

SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass

This module provides functionality for AJAX based auto-completion of fields in the Biblio node type provided by the Biblio module using previously entered values and third party services. The submodule "Biblio self autocomplete" for previously entered values doesn't sufficiently sanitize user inp...

SA-CORE-2014-004 - Drupal core - Denial of service

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available xmlrpc.php. The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to rea...

CVE-2014-5021

Cross-site scripting XSS vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label...

CVE-2014-5021

Cross-site scripting XSS vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label...

CVE-2014-5021

Cross-site scripting XSS vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label...

CVE-2014-5021

CVE-2014-5021 concerns Drupal’s Form API XSS vulnerability. The vulnerability affects Drupal 6.x before 6.32 and potentially 7.x before 7.29, where remote authenticated users who possess the “administer taxonomy” permission can inject arbitrary script or HTML via an option group label. The impact...

Drupal 6.x < 6.32 / 7.x < 7.29 Multiple Vulnerabilities

The remote web server is running a version of Drupal that is 6.x prior to 6.32 or 7.x prior to 7.29. It is, therefore, potentially affected by the following vulnerabilities : - The HTTP Host header, which determines the configuration file used by Drupal core's multisite feature, does not properly...

SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)

The module allows you to define and manage custom meta tags. The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page. This vulnerability is mitigated by the fact that an attacker must have access to an accoun...

CVE-2014-2983

Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors...

Drupal 6.x < 6.31 Forms API Information Disclosure

The remote web server is running a version of Drupal that is 6.x prior to 6.31. It is, therefore, affected by an error related to the HTML form API and the caching of pages for different anonymous users, which could allow sensitive information to be disclosed. Note that Drupal core does not expos...

SA-CORE-2014-002 - Drupal core - Information Disclosure

Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server. When pages are cached for...

SA-CONTRIB-2014-029 - Mime Mail - Access Bypass

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. By default the module only allows files to be embedded or attached that are located in the public files directory. The module doesn't sufficiently check the file location, considering similar...

SA-CONTRIB-2014-015 - FileField - Access Bypass

FileField module allows users to upload files with in conjunction with the Content Construction Kit CCK module in Drupal 6. The module doesn't sufficiently check permissions on revisions when determining if a user should have access to a particular file attached to that revision. A user could gai...

SA-CONTRIB-2014-017- Image Resize Filter - Denial of Service (DOS)

This module enables you to resize images based on the HTML contents of a post. Images with specified height and width properties that differ from the original image result in a resized image being created. The module doesn't limit the number of resized images per post or user, which could allow a...

SA-CONTRIB-2014-009 - Tagadelic - Information Disclosure

This module provides an API and a few simple turnkey modules, which allows you to easily create tagclouds, weighted lists, search-clouds and such. The 6.x-1.x version does not account for node access modules, thus leading to information being disclosed. This vulnerability is mitigated by the fact...

SA-CONTRIB-2013-097 - OG Features - Access bypass

This module enables you to enable and disable bundles of functionality for individual Organic groups. In order to provide this functionality, this module must override all menu callbacks available in the system, in order to delegate access based on the current Organic group you are contextually i...

SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data

The Secure Pages module manages redirects between HTTP and HTTPS pages. A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a malicious user enticing a us...