Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2015/03/04 12:0 a.m.•21 views

SA-CONTRIB-2015-068 - Campaign Monitor - Cross Site Request Forgery (CSRF)

Campaign Monitor module integrates the Campaign Monitor API into Drupal. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user to enable and disable list subscriptions by getting their browser to make a request to a specially-crafted URL. CVE...

6.8CVSS6.3AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
•added 2015/02/11 12:0 a.m.•21 views

SA-CONTRIB-2015-041 - Feature Set - Cross Site Request Forgery (CSRF)

Feature Set module enables you to enable or disable sets of features or modules. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable modules by getting the administrator's browser to make a request to a specially-crafte...

5.8CVSS6.3AI score0.00649EPSS
Exploits0References10
Drupal
Drupal
•added 2015/02/04 12:0 a.m.•21 views

SA-CONTRIB-2015-038 - Facebook Album Fetcher - Cross Site Scripting (XSS) - Unsupported

Facebook Album Fetcher module allows you to fetch Facebook albums from a Facebook account. The module incorrectly prints fields without proper sanitization thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
•added 2015/01/14 12:0 a.m.•21 views

SA-CONTRIB-2015-018 - Video - Cross Site Scripting (XSS)

This module enables you to upload, convert and playback videos. The module doesn't sufficiently sanitize node titles when using the video WYSIWYG plugin, thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with th...

3.5CVSS5.7AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
•added 2015/01/07 12:0 a.m.•21 views

SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS)

This module enables you to use a different label for displaying fields from the label used when viewing the field in a form. The module doesn't sufficiently sanitize the alternate field label in content types settings. This vulnerability is mitigated by the fact that an attacker must have a role...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
•added 2014/12/10 12:0 a.m.•21 views

SA-CONTRIB-2014-124 - Poll Chart - Cross Site Scripting (XSS)

This module enables users to have a block displaying the result of the last poll as a chart. The module doesn't sufficiently sanitize poll node titles when displaying the block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create polls and t...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
•added 2014/11/12 12:0 a.m.•21 views

SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass

The Webform component module enables site admins to limit visibility or editability of webform components based on user roles. The module doesn't sufficiently check that disabled component values are not modified upon submission of the form. CVE identifiers issued CVE-2014-9022 Versions affected...

6.4CVSS6.4AI score0.01523EPSS
Exploits0References10
Drupal
Drupal
•added 2014/07/23 12:0 a.m.•21 views

SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass

The freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as pluginname:identifier. The module doesn't sufficiently check access to content when displaying links to nodes...

4.3CVSS6.1AI score0.01191EPSS
Exploits0References10
Drupal
Drupal
•added 2014/07/16 12:0 a.m.•21 views

SA-CONTRIB-2014-071 - FileField - Access bypass

The FileField module enables you to define and use fields that contain files. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. This vulnerability is mitigated ...

4CVSS6.5AI score0.0162EPSS
Exploits0References14
Drupal
Drupal
•added 2014/07/02 12:0 a.m.•21 views

SA-CONTRIB-2014-066 - Node Access Keys - Access Bypass

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. It was found that unpublished nodes of content types that that did not have an access key were visible to all. Also, If an unpublished node of a content type that was protected by ...

7AI score
Exploits0References12
Drupal
Drupal
•added 2014/04/02 12:0 a.m.•21 views

SA-CONTRIB-2014-036 - Print - Cross Site Scripting

This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module does not sufficiently sanitize user provided input when generating the printed version of a node. This is mitigated by the fact that an attacker must have permission to create a node...

3.5CVSS6.4AI score0.01046EPSS
Exploits0References11
Drupal
Drupal
•added 2014/02/12 12:0 a.m.•21 views

SA-CONTRIB-2014-016 - Mayo Theme - XSS Vulnerability

The theme settings allow you to link to a header background file. A URL could be entered that was not properly sanitized leading to XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers issued...

4CVSS5.7AI score0.0118EPSS
Exploits0References11
Drupal
Drupal
•added 2013/09/04 12:0 a.m.•21 views

SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass

This module enables you to create polls accessible by an url with hash e.g. example.com/makemeeting/sn9028xh3398 so that anonymous users can view and vote on the poll. The module didn't sufficiently check access when a poll is accessed directly via its node url e.g. node/123. Note: a user with th...

6.4CVSS6.4AI score0.01358EPSS
Exploits0References9
Drupal
Drupal
•added 2013/08/07 12:0 a.m.•21 views

SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure

This module enables page caching for authenticated users. A separate version of each cacheable page is stored for each group of users with the same combination of roles. Users having the exact same role-combination like the superuser uid=1 might access cached pages generated with the superuser...

6.5CVSS6.3AI score0.01626EPSS
Exploits0References9
Drupal
Drupal
•added 2013/03/27 12:0 a.m.•21 views

SA-CONTRIB-2013-038 - Commons Groups - Access bypass & Privilege escalation

The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Groups module is used by the distribution to provide specific Organic Groups customizations. Versions 3.0 and earlier of the Commons Groups module is vulnerable to an access bypass an...

5CVSS6.7AI score0.02908EPSS
Exploits0References13
Drupal
Drupal
•added 2013/03/13 12:0 a.m.•21 views

SA-CONTRIB-2013-034 - Node Parameter Control - Access Bypass

This module enables you to limit the visibility of the fields on the node edit form. The module doesn't sufficiently check access before allowing users to view and edit the configuration options allowing anonymous and authenticated users the ability to view and edit the configuration options. CVE...

6.4CVSS6.2AI score0.02782EPSS
Exploits0References8
Drupal
Drupal
•added 2013/02/27 12:0 a.m.•21 views

SA-CONTRIB-2013-024 - Creative Theme - Cross Site Scripting (XSS)

Creative Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.7AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
•added 2013/02/20 12:0 a.m.•21 views

SA-CONTRIB-2013-021 - Display Suite - Cross Site Scripting (XSS)

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize user-supplied data, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

4.3CVSS5.6AI score0.01325EPSS
Exploits0References10
Drupal
Drupal
•added 2013/01/23 12:0 a.m.•21 views

SA-CONTRIB-2013-007 User Relationships - Cross Site Scripting (XSS)

The User Relationships module allows you to create multiple relationship types and maintain relationships between users in your Drupal site. The module does not sufficiently escape relationship names before display. This allows users with the correct permissions to create relationship names...

2.1CVSS6.4AI score0.01041EPSS
Exploits0References8
Drupal
Drupal
•added 2013/01/23 12:0 a.m.•21 views

SA-CONTRIB-2013-010 - Search API sorts - Cross Site Scripting (XSS)

This module enables you to sort by Search API facets. The module doesn't sufficiently filter user entered text in field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to modify field labels such as "administer taxonomy". CVE identifiers issu...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References9
Drupal
Drupal
•added 2012/11/28 12:0 a.m.•21 views

SA-CONTRIB-2012-169 - Email Field - Cross Site Scripting and Access bypass

The email module provides a field type CCK / FieldAPI for storing email addresses and a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is. Access bypa...

5.9AI score
Exploits0References10
Drupal
Drupal
•added 2012/11/28 12:0 a.m.•21 views

SA-CONTRIB-2012-172 - Zero Point - Cross Site Scripting (XSS)

Zero Point is an advanced theme which includes many options, ideal for a wide range of sites. The theme does not escape path aliases exposing a Cross site scripting XSS vulnerability in URLs. There are no mitigating factors. CVE: CVE-2012-5591 Versions affected zeropoint 6.x-1.x versions prior to...

4.3CVSS5.6AI score0.01161EPSS
Exploits0References12
Drupal
Drupal
•added 2012/11/28 12:0 a.m.•21 views

SA-CONTRIB-2012-167 - Mixpanel - Cross site scripting (XSS)

This module provides integration with the Mixpanel real-time analytics service. The module doesn't sufficiently escape the Mixpanel token when adding the tracking Javascript to the page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access...

2.1CVSS6.4AI score0.01041EPSS
Exploits0References10
Drupal
Drupal
•added 2012/11/14 12:0 a.m.•21 views

SA-CONTRIB-2012-163 - User Read-Only - Permission escalation

User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing. The module can mistakenly assign roles when performing unrelated operations against a user's account such as...

3.6CVSS6.3AI score0.01433EPSS
Exploits0References11
Drupal
Drupal
•added 2012/10/10 12:0 a.m.•21 views

SA-CONTRIB-2012-154 - Basic webmail - Multiple vulnerabilities

This module allows site users to read and write e-mail through an IMAP mail server. There are four issues being addressed by this security advisory: The module doesn't sufficiently sanitize data when setting page title. The module may store Drupal login IDs and passwords in plain text in the data...

4.3CVSS4.4AI score0.0181EPSS
Exploits0References11
Drupal
Drupal
•added 2012/08/29 12:0 a.m.•21 views

SA-CONTRIB-2012-129 - Activism - Access Bypass

The Activism module is an attempt to standardize the way online advocacy tools are built in Drupal 6. It ships with and creates a "Campaign" content type which is always viewable, even when an administrator unpublishes it or otherwise restricts viewing access. CVE: Requested Versions affected...

7.1AI score
Exploits0References8
Drupal
Drupal
•added 2012/06/06 12:0 a.m.•21 views

SA-CONTRIB-2012-097 - Protest - Cross Site Scripting (XSS)

Protest allows websites to display a complete page blackout website protest. The module contains a cross site scripting XSS vulnerability as it fails to sanitize user input before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administe...

2.1CVSS5.4AI score0.01862EPSS
Exploits1References10
Drupal
Drupal
•added 2012/05/30 12:0 a.m.•21 views

SA-CONTRIB-2012-089 - Counter - SQL Injection (unsupported)

Counter module counts how many visitors on your website. This module provides real time counting with all data saved to the database. The module doesn't sufficiently filter user supplied text when recording visits to the database which leads to a SQL Injection vulnerability. CVE: CVE-2012-2718...

7.5CVSS7.5AI score0.01889EPSS
Exploits0References8
Drupal
Drupal
•added 2012/05/23 12:0 a.m.•21 views

SA-CONTRIB-2012-083 - Taxonomy List - Cross Site Scripting (XSS)

CVE: CVE-2012-2711 This module enables you to display the terms and optionally nodes under categories. The module doesn't sufficiently sanitize user supplied text in the taxonomy information. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create ...

2.1CVSS6.3AI score0.01659EPSS
Exploits1References12
Drupal
Drupal
•added 2012/05/16 12:0 a.m.•21 views

SA-CONTRIB-2012-082 - Zen - Cross Site Scripting

CVE: CVE-2012-2710. The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by the...

2.6CVSS5.8AI score0.01783EPSS
Exploits0References13
Drupal
Drupal
•added 2012/05/16 12:0 a.m.•21 views

SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported

Update: this module has been fixed 2014-03-21. Please go the project page and download the most current release. XSS: CVE: CVE-2012-2706 Access bypass: CVE: CVE-2012-3802 Post Affiliate Pro PAP is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application. The modu...

4.3CVSS6AI score0.01808EPSS
Exploits0References9
Drupal
Drupal
•added 2012/04/25 12:0 a.m.•21 views

SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass

CVE: CVE-2012-2303 Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces and spacesog modules part of the spaces package in some cases do not apply the...

7.5CVSS6.2AI score0.0196EPSS
Exploits1References12
Drupal
Drupal
•added 2012/04/25 12:0 a.m.•21 views

SA-CONTRIB-2012-065 - Sitedoc - Information disclosure

CVE: CVE-2012-2302 This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison. The module doesn't sufficiently verify that the saved file is protected by the Private File System. This...

5CVSS6AI score0.01663EPSS
Exploits1References10
Drupal
Drupal
•added 2012/03/28 12:0 a.m.•21 views

SA-CONTRIB-2012-052 - Node Limit Number - Cross Site Request Forgery (CSRF)

CVE: CVE-2012-2080 The Node Limit Number module enables an administrator to place limits on how many nodes may be created by each user. Node Limit Number does not protect the delete URL against Cross Site Request Forgery attacks, allowing a malicious user to trick someone with "administer node...

6.8CVSS6.4AI score0.01202EPSS
Exploits1References11
Drupal
Drupal
•added 2012/02/22 12:0 a.m.•21 views

SA-CONTRIB-2012-023 - FAQ - Cross Site Scripting

CVE: CVE-2012-1646 The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before...

4.3CVSS5.7AI score0.02388EPSS
Exploits0References10
Drupal
Drupal
•added 2012/02/15 12:0 a.m.•21 views

SA-CONTRIB-2012-021 - Organic Groups Vocab Access Bypass

CVE: CVE-2012-1644 This module enables you to have a specific vocabulary per organic group. The module doesn't sufficiently check access to vocabularies while allowing a group admin to edit the vocabularies. This vulnerability is mitigated by the fact that an attacker must have a role with the...

2.1CVSS6.3AI score0.01117EPSS
Exploits1References10
Drupal
Drupal
•added 2012/02/15 12:0 a.m.•21 views

SA-CONTRIB-2012-019 - Link checker - Access bypass

CVE: CVE-2012-1642 The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed. The module does not correctly check permission to access the site's content before displaying broken links that were found within...

5CVSS6.2AI score0.02255EPSS
Exploits0References11
Drupal
Drupal
•added 2012/01/25 12:0 a.m.•21 views

SA-CONTRIB-2012-015 - Managesite - Cross Site Scripting (XSS)

CVE: CVE-2012-1640 This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone /admin. The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have...

2.1CVSS6.3AI score0.01041EPSS
Exploits0References10
Drupal
Drupal
•added 2012/01/11 12:0 a.m.•21 views

SA-CONTRIB-2012-004 - Date - SQL injection

CVE: CVE-2012-1626 This module enables you to add and administer date fields to nodes. It includes Date Tools, that allows users to convert nodes created with the Event module into Date fields. The conversion form for Events is vulnerable to SQL injection. This vulnerability is mitigated by the...

6CVSS6.9AI score0.01105EPSS
Exploits0References10
Drupal
Drupal
•added 2011/03/02 12:0 a.m.•21 views

SA-CONTRIB-2011-012 - Spaces - Access bypass

The Spaces module makes sitewide configuration options available to be overridden by individual "spaces" on a Drupal site. Spaces provides a Views module access plugin that does not properly check its permission setting which may allow underprivileged users to visit certain pages. This...

7AI score
Exploits0References10
Drupal
Drupal
•added 2010/09/22 12:0 a.m.•21 views

SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities

The Lightbox2 module enables images to be overlaid on the current page using JavaScript. The module displays images above the page instead of within it, freeing the page design from layout constraints and keeping users on the same page. The module does not sanitize some of the user supplied data...

6.4AI score
Exploits0References12
Drupal
Drupal
•added 2010/03/24 12:0 a.m.•21 views

SA-CONTRIB-2010-030: Mime Mail - Arbitrary code execution

The Mime Mail module is an helper module providing support for MIME mails, for use by other modules. Due to improper use of the PCRE regular expression engine, users with the ability to send HTML email with the Mime Mail module were able to execute arbitrary PHP code on the server. Versions...

8AI score
Exploits0References7
Drupal
Drupal
•added 2008/01/30 12:0 a.m.•21 views

SA-2008-011 - Securesite - Access bypass

The Secure Site module provides functions for placing your site behind HTTP based authentication. The module contains a flaw that allows an attacker who is behind the same proxy as a logged in user, to access the site as if the attacker is the user. Versions affected Secure Site for Drupal 5.x an...

6.7AI score
Exploits0References5
Drupal
Drupal
•added 2006/10/18 12:0 a.m.•21 views

DRUPAL-SA-2006-025 - Drupal core - Cross site request forgeries

Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a websit...

6.9AI score
Exploits0References3
Drupal
Drupal
•added 2026/06/17 12:0 a.m.•20 views

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain...

5.4AI score0.00161EPSS
Exploits0References9
Drupal
Drupal
•added 2026/05/20 12:0 a.m.•20 views

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

Drupal core includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL...

9.8CVSS6.2AI score0.84631EPSS
Exploits14References12
Drupal
Drupal
•added 2025/05/28 12:0 a.m.•20 views

Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-071

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be...

8.8CVSS5.9AI score0.00225EPSS
Exploits0References2
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•20 views

Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062

This module for Drupal provides complete control of Email settings with Drupal and Mailjet. In certain cases the module doesn't securely pass data to PHP's unserialize function, which could result in Remote Code Execution via PHP Object Injection. This vulnerability is mitigated by the fact that ...

6.6CVSS7.9AI score0.00399EPSS
Exploits0References5
Drupal
Drupal
•added 2024/05/29 12:0 a.m.•20 views

Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023

This module enables you to create responsive image styles that depend on the parent element's width. The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios...

7.5CVSS7.3AI score0.00481EPSS
Exploits0References7
Drupal
Drupal
•added 2024/02/28 12:0 a.m.•20 views

Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup. The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...

4.8CVSS6AI score0.00218EPSS
Exploits0References7
Total number of security vulnerabilities1940