CVE-2020-7942

Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog can be retrieved for a...

CVE-2011-2726

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied...

DRUPAL-CONTRIB-2019-046

In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants. This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are...

Drupal 8.x < 8.4.5 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - A flaw exists with the Comment Reply Form. An authenticated remote attacker could add or view comments that they do not have access to. CVE-2017-6926 - A flaw exists with the...

Drupal 7.x < 7.57 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - A flaw exists with the Comment Reply Form. An authenticated remote attacker could add or view comments that they do not have access to. CVE-2017-6926 - A flaw exists with the...

Drupal 8.5.x < 8.5.0-rc1 Multiple Vulnerabilities

According to its self-reported version number, the detected Drupal application is affected by multiple vulnerabilities : - A flaw exists with the Comment Reply Form. An authenticated remote attacker could add or view comments that they do not have access to. CVE-2017-6926 - A flaw exists with the...

CVE-2017-6930

In Drupal versions 8.4.x versions before 8.4.5 when using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node...

CVE-2017-6930

Summary (grounded): CVE-2017-6930 affects Drupal 8.4.x prior to 8.4.5 where, on multilingual sites using node access controls, the untranslated node is incorrectly treated as the default fallback for access queries. This can enable an access bypass. The issue is limited to sites that use the Cont...

Drupal 8.x < 8.4.5 Multiple Vulnerabilities (SA-CORE-2018-001)

According to its self-reported version, the instance of Drupal running on the remote web server is 8.x prior to 8.4.5. It is, therefore, affected by multiple vulnerabilities : - A flaw exists with the Comment Reply Form. An authenticated remote attacker could add or view comments that they do not...

Language fallback can be incorrect on multilingual sites with node access restrictions.

More info at https://www.drupal.org/SA-CORE-2018-001...

Language fallback can be incorrect on multilingual sites with node access restrictions.

More info at https://www.drupal.org/SA-CORE-2018-001...

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

This module enables you to set nodes to send feedbacks by personal/site wide contact forms. The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Us...

JGroups: Authorization bypass

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information...

REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033

This module enables you to expose content, users and comments via a JSON API. The module contains multiple vulnerabilities including Node access bypass Comment access bypass User enumeration Field access bypass User registration bypass Blocked user login Session name guessing Session enumeration...

Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022

This module enables you to build searches using a wide range of features, data sources and backends. Search index not updated by node access changes The module doesn't sufficiently re-index nodes when using the "Node access" or "Access check" data alterations and non-standard ways of changing nod...

Design/Logic Flaw

The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to "showing and creating the PDF certificates."...

CVE-2015-3404

The vulnerability CVE-2015-3404 affects the Drupal Certify module (before 6.x-2.3). The module fails to perform proper node access checks when showing or creating PDF certificates, allowing remote authenticated users to bypass access restrictions and view sensitive PDF certificate information. Af...

CVE-2015-3386

Cross-site scripting XSS vulnerability in the Node Access Product module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title...

Cross site scripting

Cross-site scripting XSS vulnerability in the Node Access Product module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title...

CVE-2015-3386

Cross-site scripting XSS vulnerability in the Node Access Product module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title...