Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. default: http://example.com/user/login?admin If they provide the access key and have a specific role they can log in. The module does not check for...

Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059

The Events Log Track module enables you to log specific events on a Drupal site. The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack...

Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032

Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters. The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Libra...

ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-031

This module enables you to define automations on your Drupal site. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability can be mitigated by disabling the "ecaui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be...

AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003

The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI from multiple vendors. The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface. The AI Chatbot module doesn...

Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass...

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. The module did not properly validate user access for data creation in certain circumstances...

Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073

The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users. The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other...

[SECURITY] Fedora 21 Update: drupal7-views-3.11-1.fc21

The views module provides a flexible method for Drupal site designers to control how lists of content nodes are presented. Traditionally, Drupal has hard-coded most of this, particularly in how taxonomy and tracker lists are formatted. This tool is essentially a smart query builder that, given...

Multiple Cross-Site Scripting Vulnerabilities in Drupal Site Documentation Module

Drupal is a developmental CMF Content Management Framework written in the PHP language. Multiple cross-site scripting vulnerabilities exist in the Drupal Site Documentation module. Because the application fails to properly filter user-supplied input, an attacker could exploit the vulnerabilities ...

[SECURITY] Fedora 12 Update: drupal-views-6.x.2.9-1.fc12

The views module provides a flexible method for Drupal site designers to control how lists of content nodes are presented. Traditionally, Drupal has hard-coded most of this, particularly in how taxonomy and tracker lists are formatted. This tool is essentially a smart query builder that, given...

SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting

The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn't sanitised, i...

[SECURITY] Fedora 9 Update: drupal-views-6.x.2.6-1.fc9

The views module provides a flexible method for Drupal site designers to control how lists of content nodes are presented. Traditionally, Drupal has hard-coded most of this, particularly in how taxonomy and tracker lists are formatted. This tool is essentially a smart query builder that, given...