1940 matches found
SA-CONTRIB-2015-005 - WikiWiki - SQL injection
WikiWiki module gives you one place to create, share and find wiki pages in your site. The module did not sanitize user input inside a database query thereby leading to a SQL Injection vulnerability. CVE identifiers issued CVE-2015-3346 Versions affected WikiWiki 6.x-1.x versions prior to 6.x-1.2...
SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting
This project allows you to create various types of tournaments as nodes and associated teams, tournaments, and matches. There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user. It is possible t...
SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass
This module provides functionality for AJAX based auto-completion of fields in the Biblio node type provided by the Biblio module using previously entered values and third party services. The submodule "Biblio self autocomplete" for previously entered values doesn't sufficiently sanitize user inp...
SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS)
A tribune is a type of chatroom. The module doesn't sufficiently filter user provided text from Tribune node titles. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node. CVE identifiers issued CVE-2014-8075 Versions affected...
SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS)
This module enables you to display notifications so that visitors can give their consent to setting cookies by your website. The module doesn't sufficiently fiter and validate configuration values entered by administrators. This vulnerability is mitigated by the fact that an attacker must have a...
SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass
This module will allow you to add Time-based One-time Password Algorithm also called "Two Step Authentication" or "Multi-Factor Authentication" support to user logins. It works with Google's Authenticator app system and support most if not all OATH based HOTP/TOTP systems. Accidental removal of...
SA-CONTRIB-2013-045 - Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) - Access bypass
Autocomplete Widgets module adds autocomplete widgets for Text and Number fields. The autocomplete callback implemented by this module does not honor node permissions to access existing fields, allowing users to see field values even though they are not authorized to access that information. This...
SA-CONTRIB-2013-016 - Banckle Chat - Access bypass - Unsupported
This module enables you to chat with the visitors of your web site. The module doesn't sufficiently check access to its admin pages. This vulnerability is not mitigated. CVE identifiers issued CVE-2013-0318 Versions affected All Banckle Chat 7.x-1.x versions. Drupal core is not affected. If you d...
SA-CONTRIB-2013-014 - Drush Debian Packaging - Information Disclosure - Unsupported
This package is a tool to build debian packages from a Drupal instance. The module doesn't sufficiently protect database credentials. This vulnerability is mitigated by the fact that an attacker must have shell access to the server. CVE identifiers issued CVE-2013-0260 Versions affected All...
SA-CONTRIB-2013-009 - Keyboard Shortcut Utility - Access Bypass - module unsupported
The Keyboard Shortcut Utility module enables you to create keyboard shortcuts on your website. You can create a shortcut to go to a page internal or external or call a JavaScript function. The module doesn't sufficiently check node access to view nodes for users who have "view shortcuts"...
SA-CONTRIB-2013-001 - Search API - Cross Site Scripting
This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input when displaying errors in a view with certain backends, including the database backend. This enables attackers to create a Reflected Cross Site...
SA-CONTRIB-2012-171 - Webmail Plus - SQL injection - (unsupported)
The Webmail plus module is a full-featured email client for Drupal. It's designed to provide email for any or all members of a Drupal site. The module doesn't sufficiently sanitize user input as it is used in a database query. CVE: CVE-2012-5590 Versions affected All Webmail Plus module versions...
SA-CONTRIB-2012-100 - SimpleMeta - Cross Site Request Forgery (CSRF)
The Simple Meta module provides a method to set meta tags, such as page title, description and keywords for nodes, views and other pages. The module doesn't sufficiently confirm user intent when adding and deleting meta tag entries allowing a malicious user to trick a site admin into deleting...
SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)
CVE: CVE-2012-2705. The function filtertitles incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue. Versions affected...
SA-CONTRIB-2012-067 - Linkit - Access bypass
CVE: CVE-2012-2304 Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field. When searching for entities, no access restrictions were added and users may s...
SA-CONTRIB-2012-055 - Fusion theme - Cross Site Scripting (XSS)
CVE: CVE-2012-2083 Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components. The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This...
SA-CONTRIB-2012-038 - Views Language Switcher Cross Site Scripting (XSS)
CVE: CVE-2012-2064 The Views Language Switcher module enables you to provide natively-formatted links that act as Views exposed filters for i18n content being displayed by Views. The module doesn't sufficiently filter the path output when a user manually modifies the path and makes a new request...
SA-CONTRIB-2012-026 - ZipCart - Access bypass
CVE: CVE-2012-1650 ZipCart enables a site to provide users with Zip archives for downloads selected by the user. Versions of ZipCart prior to 6.x-1.4 checks an incorrect permission when building archives. This vulnerability is mitigated by the fact that archive file addition is only permitted if...
SA-CONTRIB-2012-024 - MediaFront - Cross Site Scripting
CVE: CVE-2012-1647 Within the MediaFront module, there is a PHP library for handling the stand alone application of the Open Standard Media player. Within this library, both the $SESSION and $SERVER variables are handled without proper checks to make sure that no malicious code is injected within...
SA-CONTRIB-2009-054 - Go - url redirects - Multiple vulnerabilities
The Go - url redirects gotwo module adds the option to add redirected URLs. This module was found to have multiple vulnerabilities. Arbitrary PHP code execution Due to improper use of the PCRE regular expression engine, users with permission to use the input filter provided by the module are able...
Drupal core - Multiple cross site scripting vulnerabilities
Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. Custom content type names...
DRUPAL-SA-2006-004 Mail header injection vulnerability
Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to Drupal sites being used to send unwanted email. Versions affected All Drupal versions before 4.6.6. Solution If you are runnin...
Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009
The JSON:API and REST modules allow you to upload image files to image fields. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the...
SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031
This module enables you to perform SAML-protocol-based single-sign-on SSO on a Drupal site. The module doesn't sufficiently block access, leading to a authentication bypass vulnerability...
Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084
Project Paragraphs table provides a field for a collection table. The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing...
Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-073
The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently sanitise data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability is...
etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074
The module adds the etracker web statistics tracking system to your website. The cookiesetracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users. A potential...
One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063
This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent the same TFA token within a 30 second window. This vulnerability is mitigated by the fact that an attacker must obtain a valid...
Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011
This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't have the "restrict access" flag on the "administer googletagcontainer" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicio...
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized...
Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013
This module provides an alternative mean of rebuilding the Content Access table. The module doesn't sufficiently reset the state of content access when the module is uninstalled...
Group - Less critical - Access bypass - SA-CONTRIB-2023-054
The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to. The module doesn't sufficiently enforce list access under t...
Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045
This module enables users to log in by email address with minimal configurations. Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks...
TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029
This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The...
GDPR Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-023
This module enables you to define configurable GDPR alert messages. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be...
AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019
This module provides social media share & follow buttons. The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting XSS vulnerability...
Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059
This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups. This vulnerability is mitigated ...
Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058
This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions. The module doesn't sufficiently apply access restrictions when using the filters fieldlabel, fieldvalue,...
Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025
The Admin Toolbar admintoolbar module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work. The Admin Toolbar Search sub-module of this module doesn't sanitize user input in certain cases, which leads to a...
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005
The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content even without...
Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008
SVG Image module allows to upload SVG files. The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file...
Bootstrap - Moderately critical - Cross site scripting - SA-CONTRIB-2018-074
This base theme bridges the gap between Drupal and the Bootstrap Framework. The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips. This vulnerability is mitigated by the fact that an attacker must already have the ability to either:...
GatherContent - Moderately critical - Access bypass - SA-CONTRIB-2018-075
This module enables you to import and export data from the GatherContent service. The module didn't properly protect its administrative paths...
Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058
This module enables you to use the Bing Autosuggest API. The module doesn't sufficiently sanitize a value used to populate an API request...
Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018
This module helps in exporting and importing Menu Items via the administrative interface. The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links. There is no mitigation for this vulnerability...
Colorbox - Access bypass - Less Critical - SA-CONTRIB-2015-156
This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal. The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site. This vulnerability is mitigated by the fac...
me aliases - Moderately Critical - Access Bypass - SA-CONTRIB-2015-128
'me aliases' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The view user argument handler for the 'me' module has an access bypass vulnerability where it does not check the supplied argument against the current user. This allows any use...
Web Links - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110
The Web Links module provides a comprehensive way to manage url links to other websites. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permissio...
SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting (XSS)
OG Tabs modules provides a secondary menu with links to nodes of the same OG group. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission t...