315 matches found
SA-CONTRIB-2013-083 - Quiz - Access Bypass
Access bypass on deleting quiz results The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module doesn't sufficiently check the dele...
CVE-2012-0826
Cross-site request forgery CSRF vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service loss of updates due to rate limit...
CVE-2012-0826
CVE-2012-0826 is a CSRF vulnerability in Drupal’s Aggregator module affecting Drupal 6.x before 6.23 and 7.x before 7.11. The issue allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and may cause a denial of service via rate-limited updates...
CVE-2012-0825
CVE-2012-0825 affects Drupal 6.x up to 6.23 and 7.x up to 7.11, where Attribute Exchange (AX) information is not signed, enabling MITM modification of AX data. Related advisories confirm this CVE in multiple distributions (e.g., Debian DSA-2776-1; MiracleLinux AXSA-2012-98:01). Remediation in aff...
CVE-2012-0826
Cross-site request forgery CSRF vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service loss of updates due to rate limit...
SA-CONTRIB-2013-081 - Spaces - Access bypass
This module enables you to make configuration options generally available only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces submodule, Spaces OG, doesn't properly handle deleting of organic group group spaces when the option to move t...
SA-CONTRIB-2013-078 - Quick Tabs - Access Bypass
The Quick Tabs module allows you to create blocks of tabbed content, specifically views, blocks, nodes and other quicktabs. You can create a block on your site containing multiple tabs with corresponding content. The module does not sufficiently check block permissions before rendering a Quick Ta...
SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass
This module enables you to create polls accessible by an url with hash e.g. example.com/makemeeting/sn9028xh3398 so that anonymous users can view and vote on the poll. The module didn't sufficiently check access when a poll is accessed directly via its node url e.g. node/123. Note: a user with th...
SA-CONTRIB-2013-069 - Password Policy - XSS
This module enables you to specify a certain level of password complexity aka. "password hardening" for user passwords in Drupal by defining a password policy. When viewing and editing a password policy, the module doesn't sufficiently filter the form text field input and display for the "Passwor...
SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities
Monster Menus enables you to create granular page permissions, and apply them to a hierarchical page structure. The mmwebform submodule enables you to assign permissions derived from Monster Menus to webform forms. The module doesn't sufficiently filter titles entered into page settings and echoe...
SA-CONTRIB-2013-054 - Fast Permissions Administration - Access Bypass
The Fast Permissions Administration module enables you to use inline filters on the permissions page, as well as loading the permissions form through a modal dialog. The module doesn't sufficiently check user access for the modal content callback, allowing unauthorized access to the permissions...
CVE-2013-1971
Cross-site scripting XSS vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file...
Cross site scripting
Cross-site scripting XSS vulnerability in the MP3 Player module for Drupal 6.x allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the file name of a MP3 file...
CVE-2013-1971
The CVE-2013-1971 vulnerability concerns the Drupal 6.x MP3 Player contributed module. The issue is a cross-site scripting (XSS) flaw where remote authenticated users with certain permissions can inject arbitrary script/HTML via the MP3 filename, caused by insufficient filtering of user-supplied ...
SA-CONTRIB-2013-049 - Node access user reference - Access Bypass
This module allows different access permissions to be given to authors, referenced users and non-referenced users. When an author has created content containing a user reference field with author update/delete grants enabled and the author's user account is later deleted, content created by them...
SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)
This module enables you to easily enable a Flash MP3 Player on a CCK FileField. The module doesn't sufficiently filter user-supplied text from mp3 filenames. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield wi...
SA-CONTRIB-2013-017 - Yandex.Metrics - Cross site scripting (XSS)
The Yandex.Metrics module enables you to install Yandex.Metrica tracking code and watch reports by key indicators of user activity. The module doesn't sufficiently escape Yandex.Metrica service data when being displayed. This vulnerability is mitigated by the fact that it only impacts sites with...
SA-CONTRIB-2013-019 - Ubercart Views - Cross site scripting (XSS)
Ubercart Views provides Views integration for the Ubercart shopping cart module. The "full name" field in Views is not properly sanitized on output. The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order. CVE...
CVE-2012-5652
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a 1 RSS feed or 2 search result...
Design/Logic Flaw
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a 1 RSS feed or 2 search result...