11 matches found
Drupal Advanced Varnish module < 4.0.11 - Unauthenticated Broken Access Control vulnerability
Unauthenticated Broken Access Control vulnerability discovered by Heine Deelstra in WordPress Module Advanced Varnish versions 4.0.11...
Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004
Users without "Administer comments" can set comment visibility on nodes they can edit. Less critical Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission. Cross-site Scripting in http...
SA-CONTRIB-2013-064 - Persona - Cross site request forgery (CSRF)
This module enables users to sign into a Drupal website using Mozilla Persona. The module uses a security token to ensure that a sign-in request is made from a web page that is participating in the current session. It was possible for a security token that was not of type "string" to be accepted ...
SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure
Multiple vulnerabilities were discovered in Drupal core. Arbitrary PHP code execution A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PH...
SA-CONTRIB-2012-118 - Secure Login - Open Redirect
Secure Login module enables the user login and other forms to be submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in clear text. In addition, Secure Login module by default redirects non-HTTPS GET requests for pages containing forms that i...
SA-CONTRIB-2012-105 - Hashcash - Cross Site Scripting (XSS)
The Hashcash project is an implementation of a Proof Of Work POW or Puzzle scheme where users of a service have to do computational work to have their request granted. In the case of the Drupal Hashcash project, the service is 'form submission' and the Proof Of Work is a token that causes a parti...
SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution
CKEditor and its predecessor FCKeditor allow Drupal to replace textarea fields with the FCKEditor - a visual HTML WYSIWYG editor. The modules have an AJAX callback that filters text to prevent Cross site scripting attacks on content edits. This AJAX callback function contains a number of bugs whi...
SA-CONTRIB-2011-052 - Views SQL Injection
The Views module enables you to list content in your site in various ways. The module doesn't sufficiently escape database parameters for certain filters/arguments on certain types of views with specific configurations of arguments. Versions affected Views 6.x-2.x versions prior to 6.x-2.13 Drupa...
SA-CONTRIB-2009-069 - Shared Sign On - Cross Site Scripting
The Shared Sign On module enables users to log into one Drupal site and be automatically logged into multiple related Drupal sites. The module suffers multiple vulnerabilities, including Cross Site Request Forgeries CSRF and Session fixation problem Session Fixation. This problem allows an attack...
SA-2008-041 - Taxonomy autotagger - Multiple vulnerabilities
The Taxonomy Autotagger will automatically tag a post with terms from a vocabulary if the terms are found in the content of the post. The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with th...
[DRUPAL-SA-2007-017] Drupal 5.2 fixes multiple CSRF vulnerabilities
---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2007-017 ---------------------------------------------------------------------------- Project: Drupal core Version: 5.x Date: 2007-July-26 Security risk: Moderately critical Exploitable...