Custom Landing Page Builder - Unsupported - SA-CONTRIB-2017-050

The Custom Landing Page Builder module allows webmasters to build custom landing pages using a WYSIWYG editor while still having full control over the full layout of the page including the header, navigation, page content, footer, forms etc. The security team is marking this module unsupported...

Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085

Invoice module allows you to create invoices in Drupal. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create,...

SA-CONTRIB-2015-080 - Profile2 Privacy - Cross Site Scripting (XSS)

Profile2 Privacy module enables you to show or hide parts of a profile2 entity based on pre-configured field sets with a title and description. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is...

SA-CONTRIB-2015-036 - Public Download Count - Cross Site Scripting (XSS) - Unsupported

Public Download Count module keeps track of file download counts. The module doesn't sufficiently sanitize user supplied text in the Download counts report page thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role wit...

SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

This project allows you to create various types of tournaments as nodes and associated teams, tournaments, and matches. There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user. It is possible t...

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)

Node Field module allows you to add custom extra fields to single Drupal nodes. The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes. CVE...

SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)

The CKEditor module and its predecessor, FCKeditor module allows Drupal to replace textarea fields with CKEditor 3.x/4.x FCKeditor 2.x in case of FCKeditor module - a visual HTML editor, sometimes called WYSIWYG editor. Both modules define a function, called via an ajax request, that filters text...

SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)

The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have...

SA-CONTRIB-2014-080 - Social Stats - Cross Site Scripting (XSS)

The Social Stats module enables you to collect statistics from various social networks and use that data with the Views module as field data, sort criteria, or filter criteria. The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persisten...

SA-CONTRIB-2014-003 - Doubleclick for Publishers DFP - Cross Site Scripting (XSS)

This module enables you to create blocks to place advertisements from the Google Double Click for Publishers API DFP. The module doesn't sufficiently sanitize the slot names prior to output into HTML. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...