Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2014/01/29 12:0 a.m.•22 views

SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS)

A tribune is a type of chatroom. The module doesn't sufficiently filter user provided text from Tribune node titles. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node. CVE identifiers issued CVE-2014-8075 Versions affected...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References9
Drupal
Drupal
•added 2013/11/20 12:0 a.m.•22 views

SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS)

This module enables you to display notifications so that visitors can give their consent to setting cookies by your website. The module doesn't sufficiently fiter and validate configuration values entered by administrators. This vulnerability is mitigated by the fact that an attacker must have a...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References11
Drupal
Drupal
•added 2013/11/13 12:0 a.m.•22 views

SA-CONTRIB-2013-091 - Groups, Communities and Co (GCC) - Access Bypass

This module enables you to manage groups and assign content and users to groups. The module doesn't sufficiently check permissions to some of the configuration pages allowing unprivileged users to access the roles and permissions pages of the GCC module. CVE identifiers issued CVE-2013-4598...

5CVSS6.4AI score0.01888EPSS
Exploits0References10
Drupal
Drupal
•added 2013/05/15 12:0 a.m.•22 views

SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass

This module will allow you to add Time-based One-time Password Algorithm also called "Two Step Authentication" or "Multi-Factor Authentication" support to user logins. It works with Google's Authenticator app system and support most if not all OATH based HOTP/TOTP systems. Accidental removal of...

6.5AI score
Exploits0References10
Drupal
Drupal
•added 2013/04/17 12:0 a.m.•22 views

SA-CONTRIB-2013-045 - Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) - Access bypass

Autocomplete Widgets module adds autocomplete widgets for Text and Number fields. The autocomplete callback implemented by this module does not honor node permissions to access existing fields, allowing users to see field values even though they are not authorized to access that information. This...

4CVSS6.3AI score0.01094EPSS
Exploits0References16
Drupal
Drupal
•added 2013/02/13 12:0 a.m.•22 views

SA-CONTRIB-2013-016 - Banckle Chat - Access bypass - Unsupported

This module enables you to chat with the visitors of your web site. The module doesn't sufficiently check access to its admin pages. This vulnerability is not mitigated. CVE identifiers issued CVE-2013-0318 Versions affected All Banckle Chat 7.x-1.x versions. Drupal core is not affected. If you d...

10CVSS6.4AI score0.02043EPSS
Exploits0References8
Drupal
Drupal
•added 2013/01/30 12:0 a.m.•22 views

SA-CONTRIB-2013-014 - Drush Debian Packaging - Information Disclosure - Unsupported

This package is a tool to build debian packages from a Drupal instance. The module doesn't sufficiently protect database credentials. This vulnerability is mitigated by the fact that an attacker must have shell access to the server. CVE identifiers issued CVE-2013-0260 Versions affected All...

2.1CVSS6.4AI score0.00312EPSS
Exploits0References8
Drupal
Drupal
•added 2013/01/23 12:0 a.m.•22 views

SA-CONTRIB-2013-009 - Keyboard Shortcut Utility - Access Bypass - module unsupported

The Keyboard Shortcut Utility module enables you to create keyboard shortcuts on your website. You can create a shortcut to go to a page internal or external or call a JavaScript function. The module doesn't sufficiently check node access to view nodes for users who have "view shortcuts"...

6CVSS6.3AI score0.00945EPSS
Exploits0References9
Drupal
Drupal
•added 2013/01/09 12:0 a.m.•22 views

SA-CONTRIB-2013-001 - Search API - Cross Site Scripting

This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input when displaying errors in a view with certain backends, including the database backend. This enables attackers to create a Reflected Cross Site...

2.6CVSS5.5AI score0.0135EPSS
Exploits0References11
Drupal
Drupal
•added 2012/11/28 12:0 a.m.•22 views

SA-CONTRIB-2012-171 - Webmail Plus - SQL injection - (unsupported)

The Webmail plus module is a full-featured email client for Drupal. It's designed to provide email for any or all members of a Drupal site. The module doesn't sufficiently sanitize user input as it is used in a database query. CVE: CVE-2012-5590 Versions affected All Webmail Plus module versions...

7.5CVSS6.5AI score0.0121EPSS
Exploits0References8
Drupal
Drupal
•added 2012/06/13 12:0 a.m.•22 views

SA-CONTRIB-2012-100 - SimpleMeta - Cross Site Request Forgery (CSRF)

The Simple Meta module provides a method to set meta tags, such as page title, description and keywords for nodes, views and other pages. The module doesn't sufficiently confirm user intent when adding and deleting meta tag entries allowing a malicious user to trick a site admin into deleting...

6.8CVSS6.3AI score0.00993EPSS
Exploits0References10
Drupal
Drupal
•added 2012/05/16 12:0 a.m.•22 views

SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)

CVE: CVE-2012-2705. The function filtertitles incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue. Versions affected...

2.1CVSS6.3AI score0.01607EPSS
Exploits0References11
Drupal
Drupal
•added 2012/04/25 12:0 a.m.•22 views

SA-CONTRIB-2012-067 - Linkit - Access bypass

CVE: CVE-2012-2304 Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field. When searching for entities, no access restrictions were added and users may s...

4.3CVSS6.3AI score0.02097EPSS
Exploits0References10
Drupal
Drupal
•added 2012/03/28 12:0 a.m.•22 views

SA-CONTRIB-2012-055 - Fusion theme - Cross Site Scripting (XSS)

CVE: CVE-2012-2083 Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components. The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This...

4.3CVSS5.7AI score0.01325EPSS
Exploits0References18
Drupal
Drupal
•added 2012/03/14 12:0 a.m.•22 views

SA-CONTRIB-2012-038 - Views Language Switcher Cross Site Scripting (XSS)

CVE: CVE-2012-2064 The Views Language Switcher module enables you to provide natively-formatted links that act as Views exposed filters for i18n content being displayed by Views. The module doesn't sufficiently filter the path output when a user manually modifies the path and makes a new request...

4.3CVSS6.4AI score0.01951EPSS
Exploits0References9
Drupal
Drupal
•added 2012/02/29 12:0 a.m.•22 views

SA-CONTRIB-2012-026 - ZipCart - Access bypass

CVE: CVE-2012-1650 ZipCart enables a site to provide users with Zip archives for downloads selected by the user. Versions of ZipCart prior to 6.x-1.4 checks an incorrect permission when building archives. This vulnerability is mitigated by the fact that archive file addition is only permitted if...

6CVSS6.2AI score0.01203EPSS
Exploits0References10
Drupal
Drupal
•added 2012/02/29 12:0 a.m.•22 views

SA-CONTRIB-2012-024 - MediaFront - Cross Site Scripting

CVE: CVE-2012-1647 Within the MediaFront module, there is a PHP library for handling the stand alone application of the Open Standard Media player. Within this library, both the $SESSION and $SERVER variables are handled without proper checks to make sure that no malicious code is injected within...

4.3CVSS6.7AI score0.01685EPSS
Exploits1References11
Drupal
Drupal
•added 2009/08/26 12:0 a.m.•22 views

SA-CONTRIB-2009-054 - Go - url redirects - Multiple vulnerabilities

The Go - url redirects gotwo module adds the option to add redirected URLs. This module was found to have multiple vulnerabilities. Arbitrary PHP code execution Due to improper use of the PCRE regular expression engine, users with permission to use the input filter provided by the module are able...

6.5AI score
Exploits0References7
Drupal
Drupal
•added 2007/07/26 12:0 a.m.•22 views

Drupal core - Multiple cross site scripting vulnerabilities

Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. Custom content type names...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2006/03/13 12:0 a.m.•22 views

DRUPAL-SA-2006-004 Mail header injection vulnerability

Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to Drupal sites being used to send unwanted email. Versions affected All Drupal versions before 4.6.6. Solution If you are runnin...

7.1AI score
Exploits0References3
Drupal
Drupal
•added 2026/06/17 12:0 a.m.•21 views

Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009

The JSON:API and REST modules allow you to upload image files to image fields. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the...

4.8AI score0.0015EPSS
Exploits0References7
Drupal
Drupal
•added 2026/04/01 12:0 a.m.•21 views

SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

This module enables you to perform SAML-protocol-based single-sign-on SSO on a Drupal site. The module doesn't sufficiently block access, leading to a authentication bypass vulnerability...

7.4CVSS5.9AI score0.00257EPSS
Exploits0References2
Drupal
Drupal
•added 2025/06/25 12:0 a.m.•21 views

Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084

Project Paragraphs table provides a field for a collection table. The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing...

5.4CVSS5.4AI score0.00186EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/28 12:0 a.m.•21 views

Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-073

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently sanitise data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability is...

5CVSS5.7AI score0.00187EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/28 12:0 a.m.•21 views

etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074

The module adds the etracker web statistics tracking system to your website. The cookiesetracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users. A potential...

7.3CVSS6.6AI score0.00234EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•21 views

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent the same TFA token within a 30 second window. This vulnerability is mitigated by the fact that an attacker must obtain a valid...

4.8CVSS7AI score0.00217EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/16 12:0 a.m.•21 views

Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9CVSS6.9AI score0.00282EPSS
Exploits0References2
Drupal
Drupal
•added 2025/01/29 12:0 a.m.•21 views

Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't have the "restrict access" flag on the "administer googletagcontainer" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicio...

4.8CVSS6.2AI score0.00218EPSS
Exploits0References8
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•21 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003

Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized...

5.4CVSS6.6AI score0.00327EPSS
Exploits0References14
Drupal
Drupal
•added 2024/02/28 12:0 a.m.•22 views

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013

This module provides an alternative mean of rebuilding the Content Access table. The module doesn't sufficiently reset the state of content access when the module is uninstalled...

5.4CVSS7.1AI score0.00211EPSS
Exploits0References6
Drupal
Drupal
•added 2023/12/06 12:0 a.m.•21 views

Group - Less critical - Access bypass - SA-CONTRIB-2023-054

The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to. The module doesn't sufficiently enforce list access under t...

7AI score
Exploits0References10
Drupal
Drupal
•added 2023/09/13 12:0 a.m.•21 views

Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045

This module enables users to log in by email address with minimal configurations. Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks...

6.7AI score
Exploits0References6
Drupal
Drupal
•added 2023/06/28 12:0 a.m.•21 views

TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The...

6AI score
Exploits0References8
Drupal
Drupal
•added 2023/06/28 12:0 a.m.•21 views

GDPR Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-023

This module enables you to define configurable GDPR alert messages. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be...

6AI score
Exploits0References6
Drupal
Drupal
•added 2022/10/19 12:0 a.m.•21 views

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups. This vulnerability is mitigated ...

6AI score
Exploits0References8
Drupal
Drupal
•added 2022/10/12 12:0 a.m.•21 views

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions. The module doesn't sufficiently apply access restrictions when using the filters fieldlabel, fieldvalue,...

6.5AI score
Exploits0References6
Drupal
Drupal
•added 2021/08/25 12:0 a.m.•21 views

Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025

The Admin Toolbar admintoolbar module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work. The Admin Toolbar Search sub-module of this module doesn't sanitize user input in certain cases, which leads to a...

5.9AI score
Exploits0References6
Drupal
Drupal
•added 2021/08/12 12:0 a.m.•21 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005

The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content even without...

6AI score
Exploits0References13
Drupal
Drupal
•added 2020/03/25 12:0 a.m.•21 views

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

SVG Image module allows to upload SVG files. The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file...

6.5AI score
Exploits0References7
Drupal
Drupal
•added 2018/11/28 12:0 a.m.•21 views

Bootstrap - Moderately critical - Cross site scripting - SA-CONTRIB-2018-074

This base theme bridges the gap between Drupal and the Bootstrap Framework. The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips. This vulnerability is mitigated by the fact that an attacker must already have the ability to either:...

5.9AI score
Exploits0References12
Drupal
Drupal
•added 2018/11/28 12:0 a.m.•21 views

GatherContent - Moderately critical - Access bypass - SA-CONTRIB-2018-075

This module enables you to import and export data from the GatherContent service. The module didn't properly protect its administrative paths...

6.7AI score
Exploits0References7
Drupal
Drupal
•added 2018/08/29 12:0 a.m.•21 views

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

This module enables you to use the Bing Autosuggest API. The module doesn't sufficiently sanitize a value used to populate an API request...

6.6AI score
Exploits0References5
Drupal
Drupal
•added 2018/04/18 12:0 a.m.•21 views

Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018

This module helps in exporting and importing Menu Items via the administrative interface. The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links. There is no mitigation for this vulnerability...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2015/10/07 12:0 a.m.•21 views

Colorbox - Access bypass - Less Critical - SA-CONTRIB-2015-156

This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal. The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site. This vulnerability is mitigated by the fac...

3.5CVSS6.2AI score0.00866EPSS
Exploits0References10
Drupal
Drupal
•added 2015/06/24 12:0 a.m.•21 views

me aliases - Moderately Critical - Access Bypass - SA-CONTRIB-2015-128

'me aliases' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The view user argument handler for the 'me' module has an access bypass vulnerability where it does not check the supplied argument against the current user. This allows any use...

5CVSS6.3AI score0.02153EPSS
Exploits0References10
Drupal
Drupal
•added 2015/05/20 12:0 a.m.•21 views

Web Links - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110

The Web Links module provides a comprehensive way to manage url links to other websites. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permissio...

3.5CVSS6AI score0.00965EPSS
Exploits0References13
Drupal
Drupal
•added 2015/04/22 12:0 a.m.•21 views

HybridAuth Social Login - Less Critical - Information Disclosure - SA-CONTRIB-2015-097

HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module may store user passwords in plain text. This vulnerability is mitigated by the fact that the option "Ask user for...

3.5CVSS6.3AI score0.00981EPSS
Exploits0References11
Drupal
Drupal
•added 2015/03/11 12:0 a.m.•21 views

SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting (XSS)

OG Tabs modules provides a secondary menu with links to nodes of the same OG group. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission t...

3.5CVSS6AI score0.00965EPSS
Exploits0References12
Drupal
Drupal
•added 2015/03/04 12:0 a.m.•21 views

SA-CONTRIB-2015-068 - Campaign Monitor - Cross Site Request Forgery (CSRF)

Campaign Monitor module integrates the Campaign Monitor API into Drupal. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user to enable and disable list subscriptions by getting their browser to make a request to a specially-crafted URL. CVE...

6.8CVSS6.3AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
•added 2015/02/11 12:0 a.m.•21 views

SA-CONTRIB-2015-041 - Feature Set - Cross Site Request Forgery (CSRF)

Feature Set module enables you to enable or disable sets of features or modules. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable modules by getting the administrator's browser to make a request to a specially-crafte...

5.8CVSS6.3AI score0.00649EPSS
Exploits0References10
Total number of security vulnerabilities1940