Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004

Users without "Administer comments" can set comment visibility on nodes they can edit. Less critical Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission. Cross-site Scripting in http...

SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service

This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive...

SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)

TinyBox module uses TinyBox, a lightweight and standalone modal window script. The main purpose of this module is to provide Splash Screen/Window as simple as possible. The module doesn't filter user-supplied text prior to display. The vulnerability is mitigated by the fact that an attacker must...

SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Access bypass User module search - Drupal 6 and 7 A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users. This...

SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

Multiple vulnerabilities were discovered in Drupal core. Arbitrary PHP code execution A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PH...

SA-CONTRIB-2012-119 - Excluded Users - Cross Site Scripting (XSS)

Excluded Users is a helper module which allows administrators to select users to not appear in user listings. The module displays a list of user names and email addresses without sanitizing them. In the event that someone manages to insert malicious code into a user name or email address, this...

SA-CONTRIB-2012-098 - Janrain Capture - Open Redirect

This module allows for authentication through the cloud user-management platform Janrain Capture. Part of the module exposes an endpoint to re-synchronize user data between Drupal and Capture and allows for passing an optional parameter to redirect the user back to an original location. This...

SA-CONTRIB-2011-052 - Views SQL Injection

The Views module enables you to list content in your site in various ways. The module doesn't sufficiently escape database parameters for certain filters/arguments on certain types of views with specific configurations of arguments. Versions affected Views 6.x-2.x versions prior to 6.x-2.13 Drupa...

SA-CONTRIB-2010-032 - Taxonomy Breadcrumb - Cross Site Scripting (XSS)

The Taxonomy Breadcrumb module generates taxonomy based breadcrumbs on node pages and taxonomy/term pages. This module does not properly sanitize taxonomy term name and, for 6.x, node titles when displayed in breadcrumbs, leading to a Cross Site Scripting XSS vulnerability. XSS vulnerabilities ma...

SA-CONTRIB-2009-020 - Print - Cross site scripting

The Printer, e-mail and PDF versions "Print" module provides printer-friendly versions of content. The module does not correctly escape content titles, enabling malicious users to insert arbitrary HTML and scripts into certain pages. Such a cross site scripting XSS attack against sufficiently...

SA-2008-065 - Node Clone - Access bypass

The third-party Node Clone module enables users to make a copy of an existing item of content a node, and then edit that copy. The module contains a flaw that allows a user with the 'clone node' permission to potentially bypass normal viewing access restrictions, for example allowing the user to...

SA-2008-045 - OpenID - Multiple vulnerabilities

The OpenID module for Drupal 5.x allows uses to create an account or log into a Drupal site using one or more OpenID identities. Find out more about OpenID at http://openid.net. Two vulnerabilities and weaknesses were discovered in the contributed OpenID module. Cross site scripting Some...