7 matches found
SA-CONTRIB-2013-016 - Banckle Chat - Access bypass - Unsupported
This module enables you to chat with the visitors of your web site. The module doesn't sufficiently check access to its admin pages. This vulnerability is not mitigated. CVE identifiers issued CVE-2013-0318 Versions affected All Banckle Chat 7.x-1.x versions. Drupal core is not affected. If you d...
SA-CONTRIB-2012-171 - Webmail Plus - SQL injection - (unsupported)
The Webmail plus module is a full-featured email client for Drupal. It's designed to provide email for any or all members of a Drupal site. The module doesn't sufficiently sanitize user input as it is used in a database query. CVE: CVE-2012-5590 Versions affected All Webmail Plus module versions...
SA-CONTRIB-2012-110 - Colorbox Node - Cross Site Scripting (XSS)
Colorbox Node gives the user the ability to display ANY page inside a colorbox modal without the header and footer. The module accepts some settings from URL parameters and didn't sufficiently validate them before printing them to the browser, allowing malicious users to inject script code into t...
SA-CONTRIB-2012-047 - Ubercart Views - Information disclosure
CVE: CVE-2012-2074 Ubercart Views provides Views integration for the Ubercart shopping cart module, and includes default views that contain a critical information disclosure bug. In some versions, these views are disabled by default, but still disclose information if you enable them. Versions...
SA-CONTRIB-2011-024 - Spam - Cross Site Request Forgery (CSFR)
The Spam module provides numerous tools to auto-detect and deal with spam content that is posted to your site, without having to rely on third-party services. The Spam module provides a trainable Bayesian filter, automatic learning of spammer URLs, flagging of content with an excessive number of...
SA-2008-037 - TrailScout - XSS and SQL injection
The TrailScout module displays a number of last visited pages as breadcrumbs. The module displays certain values without appropriate filtering. Malicious users with the permission to create posts are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross sit...
Project issue tracking - Access bypass
If a remote user knows the node identifier of an issue that has been marked private using a node access module simpleaccess, nodeprivacybyrole, etc, they can use a specially crafted URL to view the contents of the node, regardless of their own privileges. All that is required is the "access proje...