450 matches found
DRUPAL-CONTRIB-2021-019
This project is related to Opigno LMS distribution. It implements the group manager in the Opigno LMS. The module does not set X-Frame-Options and blocks ability of other modules e.g Security Kit to add them, leaving it vulnerable to Clickjacking...
DRUPAL-CONTRIB-2021-016
This module provides a revision UI to Linky entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided ...
DRUPAL-CONTRIB-2021-009
Chaos tool suite ctools module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them. The module doesn't sufficiently handle access control on its EntityView...
DRUPAL-CONTRIB-2021-008
This module enables you to add customizable facets on search pages, from core search or searches provided by Search API. The module doesn't sufficiently filter all output in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...
DRUPAL-CONTRIB-2021-006
The SAML Authentication module allows users to authenticate against a SAML identity provider to login to your Drupal site. The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in...
DRUPAL-CONTRIB-2020-030
This module enables you to hand out permissions on a smaller subset, section or community of your website. The module used to leverage the node grants system but turned it off in its recent 8.x-1.0 release in favor of a system that works for ALL entity types, not just nodes. By doing so, some...
DRUPAL-CONTRIB-2020-028
The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams. The "Apigee Edge Teams" submodule has an information...
Services - Moderately critical - Access bypass - SA-CONTRIB-2020-022
This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module's taxonomy term index resource doesn't take into consideration certain access control tags provided but unused by core, that certain contrib modules depend on. This...
DRUPAL-CONTRIB-2020-021
This module enables you to force a password update when using password reset link. The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user...
DRUPAL-CONTRIB-2020-012
This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used...
DRUPAL-CONTRIB-2020-002
The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. This module contains a spamspan twig filter which doesn't sanitize the passed HTML string. This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpa...
DRUPAL-CONTRIB-2019-094
This project enables administrators to create modal dialogs. The routes used by the module lacked proper permissions, allowing untrusted users to access, create and modify modal configurations...
DRUPAL-CONTRIB-2019-088
Update: This module had an access bypass vulnerability which has now been addressed by the module’s current maintainers. Original description The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you...
Taxonomy CSV import/export - Moderately critical - Information disclosure - SA-CONTRIB-2019-084
Updated January 9th, 2020 This module enables you to import taxonomy terms from different sources, including a text area, a file upload or a file present in the web server. The module doesn't sufficiently validate user input when providing a local filename to import. This vulnerability is mitigat...
Drupal SVG Sanitizer Denial of Service Vulnerability
Drupal is the Drupal community using PHP language development of a set of open source content management system . SVG Sanitizer is one of the SVG format file cleaning module . A denial of service vulnerability exists in Drupal SVG Sanitizer 8.x-1.0-alpha1 and earlier versions, which can be...
DRUPAL-CONTRIB-2019-071
This module allows display of a site's content in AMP format. The module doesn't sufficiently check access on unpublished or restricted content...
DRUPAL-CONTRIB-2019-069
This module provides a new UI experience for node editing - Gutenberg editor. The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify...
DRUPAL-CONTRIB-2019-066
This module enables you to have a separate permission only for creating users. The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required". When this option is chosen, the module overrides the setting, and makes it...
Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066
This module enables you to have a separate permission only for creating users. The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required". When this option is chosen, the module overrides the setting, and makes it...
DRUPAL-CONTRIB-2019-065
This module that allows you to store external images on your server and apply your own Image Styles. The module exposes cookies to external sites when making external image requests. This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from...