Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072

The Clientside Validation module enables you to have clientside Javascript validation on your forms. The module does not sufficiently validate parameters of a POST request made when validating a CAPTCHA. For the 1.x version of this module, this vulnerability is mitigated by the fact that the...

Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

Commerce Invoices allows you to enter an Invoice number, Company name and Amount and it will generate an Invoice that the client can pay on your site using any payment method supported by Drupal commerce. SQL Injection The module did not properly use Drupal's database API when querying the databa...

DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057

UPDATE 2017-07-12 : This SA originally recommended version 2.6, but it was incorrectly tagged. We've updated the SA to recommend version 2.7. Sorry for the confusion! DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom. The module did...

OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056

This module enables you to protect requests via the OAuth authentication protocol. The module doesn't sufficiently notify the Cache API to avoid caching responses under the scenario in which an authenticated user requests a resource such as unpublished node. This vulnerability is mitigated by the...

PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030

This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process. The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account. In...

RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040

This module enables you to expose Drupal entities as RESTful web services. RESTWS alters the default page callbacks for entities to provide additional functionality. A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution. There...

Chat Room - Moderately Critical - Access Bypass - SA-CONTRIB-2015-169

Chat Room enables site owners to integrate chats into nodes by adding the chat room field to them. The module relies on a websocket connection to send chat messages to the client. The module doesn't sufficiently validate access before setting up the websocket. As a result, users may receive...

Login Disable - Access Bypass - Moderately Critical - SA-CONTRIB-2015-162

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module doesn't support other contributed user authentication modules like CAS or URL Login. When combined with...

Stickynote - Cross Site Scripting (XSS) - Moderately Critical - SA-CONTRIB-2015-154

This module enables you to create notes on a page inside a block. The module doesn't sufficiently sanitize the note text on the admin listing page. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to create or edit a stickynote. CVE identifiers issue...

HTTP Strict Transport Security - Moderately Critical - Logical Error - SA-CONTRIB-2015-118

The contributed HSTS module makes it easy for site administrators to implement HTTP Strict Transport Security HSTS by setting the Strict-Transport-Security header on each page generated by Drupal. HSTS module provides a configuration UI for the HSTS "include subdomains" directive, which indicates...

SA-CONTRIB-2015-080 - Profile2 Privacy - Cross Site Scripting (XSS)

Profile2 Privacy module enables you to show or hide parts of a profile2 entity based on pre-configured field sets with a title and description. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is...

SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass

This module enables you to configure breadcrumbs for any Drupal page. The module doesn't check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user. This vulnerability is mitigated by the fact that it is possible to configure proper access...

SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS)

Linkit provides an easy interface for internal and external linking with wysiwyg editors and fields by using an autocomplete field. The module doesn't sufficiently sanitize node titles in the result list if the node search plugin is enabled. This vulnerability is mitigated by the fact that an...

SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS)

School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system. The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...

SA-CONTRIB-2014-122 - MoIP - Cross Site Scripting (XSS)

This module enables you to use Moip a Brazilian payment method with Drupal Commerce. The module doesn't sufficiently filter the data passed by the automatic notifications, leaving the possibility for a malicious user to insert Cross Site Scripting xss attacks. This vulnerability is mitigated by t...

SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

This project allows you to create various types of tournaments as nodes and associated teams, tournaments, and matches. There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user. It is possible t...

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)

Node Field module allows you to add custom extra fields to single Drupal nodes. The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes. CVE...

SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass

The Webform component module enables site admins to limit visibility or editability of webform components based on user roles. The module doesn't sufficiently check that disabled component values are not modified upon submission of the form. CVE identifiers issued CVE-2014-9022 Versions affected...

SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)

The CKEditor module and its predecessor, FCKeditor module allows Drupal to replace textarea fields with CKEditor 3.x/4.x FCKeditor 2.x in case of FCKeditor module - a visual HTML editor, sometimes called WYSIWYG editor. Both modules define a function, called via an ajax request, that filters text...

SA-CONTRIB-2014-093 - Twilio - Information Disclosure

This module enables you to easily add SMS and VOIP functionality to your website by leveraging the Twilio cloud Voip and SMS service. The module doesn't expose its own permissions for administration including viewing and editing the Twilio authentication tokens. It relies only on "access...