Drupal Restrict route by IP module < 1.3.0 - Unauthenticated Cross Site Request Forgery (CSRF) vulnerability

Unauthenticated Cross Site Request Forgery CSRF vulnerability discovered by Juraj Nemec poker10 in WordPress Module Restrict route by IP versions 1.3.0...

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't invoke two factor authentication 2FA for the password reset option. This vulnerability is mitigated by the fact that an attacker must have access to the password reset link...

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods. This vulnerability is mitigated by the fact that an attacker must...

Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently protect certain routes from Cross Site Request Forgery CSRF attacks...

PT-2025-17660 · Drupal · Sportsleague

Name of the Vulnerable Software and Affected Versions: Sportsleague versions . Description: The issue affects the Sportsleague module in Drupal, but specific details about the nature of the issue are not provided in the available information. Recommendations: At the moment, there is no informatio...

Drupal Bootstrap Site Alert module < 1.13.0,3.0.0-3.0.3 - Unauthenticated Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS vulnerability discovered by Mitch Portier arkener in WordPress Module Bootstrap Site Alert versions 1.13.0,3.0.0-3.0.3...

Drupal baguetteBox.js module < 2.0.4,3.0.0 - Unauthenticated Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS vulnerability discovered by Pierre Rudloff prudloff in WordPress Module baguetteBox.js versions 2.0.4,3.0.0...

Drupal baguetteBox.Js 安全漏洞

Drupal baguetteBox.Js is a Drupal module from the Drupal community. A security vulnerability exists in Drupal baguetteBox.Js versions prior to 2.0.4 and versions prior to 3.0.0 to 3.0.1, which stems from improper input neutralization and could lead to cross-site scripting...

DRUPAL-CONTRIB-2025-028

This module enables users to log in using a short access code instead of providing a username/password combination. The module doesn't sufficiently protect against brute force attacks to guess a user's access code. This vulnerability is mitigated by the fact that access code based logins are off ...

DRUPAL-CONTRIB-2025-027

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs...

Drupal General Data Protection Regulation 跨站请求伪造漏洞

Drupal General Data Protection Regulation is a module of the Drupal community. A cross-site request forgery vulnerability exists in Drupal General Data Protection Regulation versions prior to 3.0.1 and versions prior to 3.1.0 through 3.1.2, which stems from cross-site request forgery...

Drupal Matomo Analytics 跨站请求伪造漏洞

Drupal Matomo Analytics is a Drupal community module for integrating Matomo an open source web analytics platform into Drupal websites to track and analyze user behavior. A cross-site request forgery vulnerability exists in Drupal Matomo Analytics versions prior to 1.24.0, which stems from...

Drupal Email TFA 安全漏洞

Drupal Email TFA is a Drupal community module that provides email-based two-factor authentication functionality for Drupal. A security vulnerability exists in Drupal Email TFA versions prior to 2.0.3, which stems from weak authentication and could lead to brute force exploits...

DRUPAL-CONTRIB-2025-022

The AI Automators module a submodule of AI enables you to create different automated tasks that fills out a field data using LLM outputs. The module contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Deletion. It may be...

DRUPAL-CONTRIB-2025-020

Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate...

DRUPAL-CONTRIB-2025-018

The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when creating tasks...

Drupal OAuth2 Server module < 2.1.0 - Unauthenticated Broken Access Control vulnerability

Unauthenticated Broken Access Control vulnerability discovered by Pierre Rudloff prudloff in WordPress Module OAuth2 Server versions 2.1.0...

DRUPAL-CONTRIB-2025-016

This module enables your site to obfuscate Email addresses and prevent spambots to collect them. The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting XSS...

The vulnerability of the Smart IP Ban module in the Drupal CMS system allows a violator to view and modify settings.

The vulnerability of the Smart IP Ban module in the Drupal CMS system is related to deficiencies in the authentication mechanism. Exploiting this vulnerability allows a malicious actor to remotely view and modify settings...

The vulnerability of the Advanced Varnish CMS system’s Drupal module, related to insufficient protection of operational data, allows attackers to bypass security restrictions and execute a Forceful Browsing attack.

The vulnerability of the Advanced Varnish CMS system, Drupal, is related to insufficient protection of operational data. Exploiting this vulnerability allows a malicious actor to bypass security restrictions and execute a Forceful Browsing attack...