SA-CONTRIB-2013-010 - Search API sorts - Cross Site Scripting (XSS)

This module enables you to sort by Search API facets. The module doesn't sufficiently filter user entered text in field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to modify field labels such as "administer taxonomy". CVE identifiers issu...

SA-CONTRIB-2012-171 - Webmail Plus - SQL injection - (unsupported)

The Webmail plus module is a full-featured email client for Drupal. It's designed to provide email for any or all members of a Drupal site. The module doesn't sufficiently sanitize user input as it is used in a database query. CVE: CVE-2012-5590 Versions affected All Webmail Plus module versions...

SA-CONTRIB-2012-163 - User Read-Only - Permission escalation

User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing. The module can mistakenly assign roles when performing unrelated operations against a user's account such as...

SA-CONTRIB-2012-160 - OM Maximenu - Cross Site Scripting (XSS)

This module enables you to create custom menus with effects and integrate module blocks as it's menu item content. The module doesn't sufficiently state the risk of giving permission to create OM Maximenus. This vulnerability is mitigated by the fact that an attacker must have a role with the...

SA-CONTRIB-2012-154 - Basic webmail - Multiple vulnerabilities

This module allows site users to read and write e-mail through an IMAP mail server. There are four issues being addressed by this security advisory: The module doesn't sufficiently sanitize data when setting page title. The module may store Drupal login IDs and passwords in plain text in the data...

SA-CONTRIB-2012-097 - Protest - Cross Site Scripting (XSS)

Protest allows websites to display a complete page blackout website protest. The module contains a cross site scripting XSS vulnerability as it fails to sanitize user input before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administe...

SA-CONTRIB-2012-083 - Taxonomy List - Cross Site Scripting (XSS)

CVE: CVE-2012-2711 This module enables you to display the terms and optionally nodes under categories. The module doesn't sufficiently sanitize user supplied text in the taxonomy information. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create ...

SA-CONTRIB-2012-031 - Multiple Modules Unsupported - UC PayDutchGroup - Information leakage and Multisite Search sql injection

CVE: CVE-2012-1655 UC PayDutchGroup / WeDeal payment integrates the PayDutchGroup / WeDeal payment gateway with Ubercart. The module exposes account credentials for the store's PayDutchGroup account under certain circumstances allowing a malicious user to login to the PayDutchGroup site as the...

SA-CONTRIB-2012-023 - FAQ - Cross Site Scripting

CVE: CVE-2012-1646 The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before...

SA-CONTRIB-2012-019 - Link checker - Access bypass

CVE: CVE-2012-1642 The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed. The module does not correctly check permission to access the site's content before displaying broken links that were found within...

SA-CONTRIB-2012-009 - Revisioning - Access bypass

CVE: CVE-2012-1635 This module enables you to create moderation publication workflows, allowing authors to create content that isn't visible to the public until it has been approved by a moderator/publisher. The module's implementation of hooknodeaccess assumes that access is to granted/denied...

SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities

The Lightbox2 module enables images to be overlaid on the current page using JavaScript. The module displays images above the page instead of within it, freeing the page design from layout constraints and keeping users on the same page. The module does not sanitize some of the user supplied data...

SA-CONTRIB-2009-054 - Go - url redirects - Multiple vulnerabilities

The Go - url redirects gotwo module adds the option to add redirected URLs. This module was found to have multiple vulnerabilities. Arbitrary PHP code execution Due to improper use of the PCRE regular expression engine, users with permission to use the input filter provided by the module are able...

Drupal core - Multiple cross site scripting vulnerabilities

Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. Custom content type names...

DRUPAL-SA-2006-025 - Drupal core - Cross site request forgeries

Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a websit...

DRUPAL-SA-2006-003 Session fixation vulnerability

If someone creates a clever enough URL and convinces you to click on it, and you later log in but you do not log off then the attacker may be able to impersonate you. Versions affected All Drupal versions before 4.6.6. Solution The fix to this issue requires PHP 4.3.2 or higher, which is higher...

DRUPAL-SA-2006-004 Mail header injection vulnerability

Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to Drupal sites being used to send unwanted email. Versions affected All Drupal versions before 4.6.6. Solution If you are runnin...

Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084

Project Paragraphs table provides a field for a collection table. The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing...

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent the same TFA token within a 30 second window. This vulnerability is mitigated by the fact that an attacker must obtain a valid...

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003

Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized...

Opigno module - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-028

The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training. In the opignomodule module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution RCE and/or Cross Site...

Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup. The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013

This module provides an alternative mean of rebuilding the Content Access table. The module doesn't sufficiently reset the state of content access when the module is uninstalled...

Group - Less critical - Access bypass - SA-CONTRIB-2023-054

The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to. The module doesn't sufficiently enforce list access under t...

Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033

This module enables you to add the Matomo web statistics tracking system to your website. The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website. This vulnerability is mitigated by the fact that an attacker must...

GDPR Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-023

This module enables you to define configurable GDPR alert messages. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be...

Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020

This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability...

AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019

This module provides social media share & follow buttons. The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting XSS vulnerability...

File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065

The File Field Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names. The module's default configuration could temporarily expose private files to anonymous visitors. Important note: to fix...

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2021-005

The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content even without...

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2021-024

This project enables administrators to restrict access from anonymous and regular users to pre-defined pages. The administration routes used by the project lacked proper permissions, allowing untrusted users to access, create and modify the module's settings...

Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009

The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots. The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass...

Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066

This module enables you to have a separate permission only for creating users. The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required". When this option is chosen, the module overrides the setting, and makes it...

Bootstrap - Moderately critical - Cross site scripting - SA-CONTRIB-2018-074

This base theme bridges the gap between Drupal and the Bootstrap Framework. The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips. This vulnerability is mitigated by the fact that an attacker must already have the ability to either:...

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

This module enables you to use the Bing Autosuggest API. The module doesn't sufficiently sanitize a value used to populate an API request...

Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018

This module helps in exporting and importing Menu Items via the administrative interface. The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links. There is no mitigation for this vulnerability...

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

This module enables you to display any number of galleries based on images located in the files folder. The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited...

Doubleclick for Publishers (DFP) - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-002

This module enables you to to place advertisements on your site that are served by Google's DFP Doubleclick for Publisher service. The module has multiple Cross Site Scripting XSS vulnerabilities due to not sufficiently escaped fields. The "administer DFP" permission is not marked as restricted...

Bootstrap - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058

The Bootstrap theme enables you to integrate the Bootstrap framework with Drupal. The theme does not sufficiently filter potential user-supplied data when it's passed to certain templates can which lead to a Persistent Cross Site Scripting XSS vulnerability. CVE identifiers issued ACVE identifier...

Storage API - Moderately Critical - Access Bypass - SA-CONTRIB-2015-114

The Storage API module creates an underlying agnostic storage layer for Drupal using many different underlying storage methods. Storage API can be used to create fields for entities to hold data. The module failed to restrict access to the Storage API fields attached to entities that are not node...

Views - Critical - Access Bypass - SA-CONTRIB-2015-103

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Access bypass due cache inconsistency Due to an issue in the caching mechanism of Views it's possible that configured filters lose...

Smart Trim - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102

This module implements a new field formatter for textfields text, textlong, and textwithsummary, if you want to get technical that improves upon the "Summary or Trimmed" formatter built into Drupal 7. The module doesn't sufficiently filter user input via the field settings form. This vulnerabilit...

SA-CONTRIB-2015-078 - Webform - Cross Site Scripting (XSS)

Webform is the module for making surveys, petitions, contests, personalized contact forms, and the like in Drupal. The module doesn't sufficiently sanitize component names when components are used to determine the e-mail addresses that may be sent upon webform submission. This vulnerability is...

SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting (XSS)

Term Queue module allows you to create lists of taxonomy terms and display them in a block. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker...

SA-CONTRIB-2015-035 - Ajax Timeline - Cross Site Scripting (XSS)

Ajax Timeline module enables you to display a vertical timeline of nodes based off a date field or created date of the configured nodes. The module doesn't sufficiently escape node titles when displaying the timeline, allowing a malicious user to inject code. This vulnerability is mitigated by th...

SA-CONTRIB-2015-005 - WikiWiki - SQL injection

WikiWiki module gives you one place to create, share and find wiki pages in your site. The module did not sanitize user input inside a database query thereby leading to a SQL Injection vulnerability. CVE identifiers issued CVE-2015-3346 Versions affected WikiWiki 6.x-1.x versions prior to 6.x-1.2...

SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS)

This module enables you to use a different label for displaying fields from the label used when viewing the field in a form. The module doesn't sufficiently sanitize the alternate field label in content types settings. This vulnerability is mitigated by the fact that an attacker must have a role...

SA-CONTRIB-2014-124 - Poll Chart - Cross Site Scripting (XSS)

This module enables users to have a block displaying the result of the last poll as a chart. The module doesn't sufficiently sanitize poll node titles when displaying the block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create polls and t...

SA-CONTRIB-2014-093 - Twilio - Information Disclosure

This module enables you to easily add SMS and VOIP functionality to your website by leveraging the Twilio cloud Voip and SMS service. The module doesn't expose its own permissions for administration including viewing and editing the Twilio authentication tokens. It relies only on "access...

SA-CONTRIB-2014-029 - Mime Mail - Access Bypass

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. By default the module only allows files to be embedded or attached that are located in the public files directory. The module doesn't sufficiently check the file location, considering similar...