450 matches found
DRUPAL-CONTRIB-2022-062
Social Private Message module allows users on the platform to allow users to send private messages to each other. The module does not properly perform the correct access checks for certain operations...
DRUPAL-CONTRIB-2022-058
This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions. The module doesn't sufficiently apply access restrictions when using the filters field\label, field\value...
S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2022-057
This module enables you to utilize S3-compatible storage as a Drupal filesystem. The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket. This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary...
DRUPAL-CONTRIB-2022-055
This module enables you to restrict content via taxonomy terms and related permissions. The module doesn't sufficiently restrict cached content in certain circumstances. This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module...
DRUPAL-CONTRIB-2022-053
This module enables you to accept payments from the Elavon payment provider. The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon On-site payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment...
DRUPAL-CONTRIB-2022-050
This module enables you to generate PDF versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes...
DRUPAL-CONTRIB-2022-046
The Lottiefiles Field module enables you to integrate the lottiefiles features into your page. The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...
DRUPAL-CONTRIB-2022-029
This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS. The module was providing too much user information about users such as the list of groups a uid is in...
DRUPAL-CONTRIB-2022-023
This module enables you to manage and delete files. The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created. To mitigate this issue without...
DRUPAL-CONTRIB-2022-019
This module provides a stream wrapper for files located in the vendor directory. Even when the vendor directory is moved outside the webroot, it allows providing publically accessible URLs to these files. The module exposes all files that are in the vendor directory, without a site owner's...
DRUPAL-CONTRIB-2022-006
Update 2022-03-01. New maintainers have volunteered for the project and created a new release which includes fixes for the 3 security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has n...
DRUPAL-CONTRIB-2022-001
This module enables you to login with an email address. The module doesn't sufficiently check if a user account is active when using email login. This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked...
DRUPAL-CONTRIB-2021-047
This modules enables users to login via email address. This module does not sufficiently check user status when authenticating...
DRUPAL-CONTRIB-2021-044
This module enables users to authenticate through their Microsoft Azure AD account. The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account. This...
Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043
This module enables aklump/loftdatagrids to be used as a Drupal module. Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: CVE-2018-19277: PHPOffice/PhpSpreadsheet771. Excel support has since been...
DRUPAL-CONTRIB-2021-040
This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not use CSRF tokens to protect routes for saving menu configurations. This vulnerability can be exploited by an anonymous user...
DRUPAL-CONTRIB-2021-036
This module provides a solution to authenticate visitors using existing SAML providers. Certain non-default configurations allow a malicious user to login as any chosen user. The vulnerability is mitigated by the module's default settings which require the options "Either sign SAML assertions" an...
DRUPAL-CONTRIB-2021-033
This module enables you to extract the textual content of files for use on a website, e.g. to display it or use it in search indexes. The module doesn't sufficiently protect the administrator-defined commands that are executed on the server, which leads to post-authentication remote code executio...
DRUPAL-CONTRIB-2021-030
This module enables you to create an individual hash for each user. These hashes can be used for authentication instead of the user's password, e.g. for views exporters. The module doesn't sufficiently invalidate page output when the page\cache module is used. This vulnerability is mitigated by t...
DRUPAL-CONTRIB-2021-023
This module provides a user interface that allows the implementation and use of Form modes without custom development. The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes. This vulnerability is mitigated by the fact that an...