Services - Critical - SQL Injection - SA-CONTRIB-2017-054

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it. This vulnerability is mitigated by the fact tha...

SA-CONTRIB-2009-079 - vCard - Cross Site Scripting

The vCard module adds a vCard download link to every user's profile. This link makes it easy to add users from a Drupal site to a local address book. When the themevcard function is added to a theme and default content from the vCard module is output, the site will be vulnerable to Cross Site...

SA-CONTRIB-2009-044 - Bubbletimer - Multiple vulnerabilities

Bubbletimer allows users to create timesheets based on nodes. It suffers from a cross-site scripting XSS vulnerability due to not properly sanitizing node titles before they are displayed. It is also vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly add...

SA-CONTRIB-2009-025 - Fivestar - Cross-site request forgery

The Fivestar module provides a voting widget for content and records votes using Ajax. The URL used by the javascript to register votes is vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly vote for content. Versions affected Fivestar 5.x-1.x prior to...

SA-2008-041 - Taxonomy autotagger - Multiple vulnerabilities

The Taxonomy Autotagger will automatically tag a post with terms from a vocabulary if the terms are found in the content of the post. The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with th...