Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2018/11/28 12:0 a.m.•21 views

GatherContent - Moderately critical - Access bypass - SA-CONTRIB-2018-075

This module enables you to import and export data from the GatherContent service. The module didn't properly protect its administrative paths...

6.7AI score
Exploits0References7
Drupal
Drupal
•added 2018/08/29 12:0 a.m.•21 views

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

This module enables you to use the Bing Autosuggest API. The module doesn't sufficiently sanitize a value used to populate an API request...

6.6AI score
Exploits0References5
Drupal
Drupal
•added 2018/04/18 12:0 a.m.•21 views

Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018

This module helps in exporting and importing Menu Items via the administrative interface. The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links. There is no mitigation for this vulnerability...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2016/11/02 12:0 a.m.•21 views

Bootstrap - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058

The Bootstrap theme enables you to integrate the Bootstrap framework with Drupal. The theme does not sufficiently filter potential user-supplied data when it's passed to certain templates can which lead to a Persistent Cross Site Scripting XSS vulnerability. CVE identifiers issued ACVE identifier...

6.2AI score
Exploits0References12
Drupal
Drupal
•added 2015/10/07 12:0 a.m.•21 views

Colorbox - Access bypass - Less Critical - SA-CONTRIB-2015-156

This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal. The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site. This vulnerability is mitigated by the fac...

3.5CVSS6.2AI score0.00866EPSS
Exploits0References10
Drupal
Drupal
•added 2015/06/24 12:0 a.m.•21 views

me aliases - Moderately Critical - Access Bypass - SA-CONTRIB-2015-128

'me aliases' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The view user argument handler for the 'me' module has an access bypass vulnerability where it does not check the supplied argument against the current user. This allows any use...

5CVSS6.3AI score0.02153EPSS
Exploits0References10
Drupal
Drupal
•added 2015/05/20 12:0 a.m.•21 views

Web Links - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110

The Web Links module provides a comprehensive way to manage url links to other websites. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permissio...

3.5CVSS6AI score0.00965EPSS
Exploits0References13
Drupal
Drupal
•added 2015/03/11 12:0 a.m.•21 views

SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting (XSS)

OG Tabs modules provides a secondary menu with links to nodes of the same OG group. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission t...

3.5CVSS6AI score0.00965EPSS
Exploits0References12
Drupal
Drupal
•added 2015/03/04 12:0 a.m.•21 views

SA-CONTRIB-2015-068 - Campaign Monitor - Cross Site Request Forgery (CSRF)

Campaign Monitor module integrates the Campaign Monitor API into Drupal. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user to enable and disable list subscriptions by getting their browser to make a request to a specially-crafted URL. CVE...

6.8CVSS6.3AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
•added 2015/02/11 12:0 a.m.•21 views

SA-CONTRIB-2015-041 - Feature Set - Cross Site Request Forgery (CSRF)

Feature Set module enables you to enable or disable sets of features or modules. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable modules by getting the administrator's browser to make a request to a specially-crafte...

5.8CVSS6.3AI score0.00649EPSS
Exploits0References10
Drupal
Drupal
•added 2015/02/04 12:0 a.m.•21 views

SA-CONTRIB-2015-038 - Facebook Album Fetcher - Cross Site Scripting (XSS) - Unsupported

Facebook Album Fetcher module allows you to fetch Facebook albums from a Facebook account. The module incorrectly prints fields without proper sanitization thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
•added 2015/01/07 12:0 a.m.•21 views

SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS)

This module enables you to use a different label for displaying fields from the label used when viewing the field in a form. The module doesn't sufficiently sanitize the alternate field label in content types settings. This vulnerability is mitigated by the fact that an attacker must have a role...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
•added 2014/12/10 12:0 a.m.•21 views

SA-CONTRIB-2014-124 - Poll Chart - Cross Site Scripting (XSS)

This module enables users to have a block displaying the result of the last poll as a chart. The module doesn't sufficiently sanitize poll node titles when displaying the block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create polls and t...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
•added 2014/11/12 12:0 a.m.•21 views

SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass

The Webform component module enables site admins to limit visibility or editability of webform components based on user roles. The module doesn't sufficiently check that disabled component values are not modified upon submission of the form. CVE identifiers issued CVE-2014-9022 Versions affected...

6.4CVSS6.4AI score0.01523EPSS
Exploits0References10
Drupal
Drupal
•added 2014/07/16 12:0 a.m.•21 views

SA-CONTRIB-2014-071 - FileField - Access bypass

The FileField module enables you to define and use fields that contain files. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. This vulnerability is mitigated ...

4CVSS6.5AI score0.0162EPSS
Exploits0References14
Drupal
Drupal
•added 2014/07/02 12:0 a.m.•21 views

SA-CONTRIB-2014-066 - Node Access Keys - Access Bypass

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. It was found that unpublished nodes of content types that that did not have an access key were visible to all. Also, If an unpublished node of a content type that was protected by ...

7AI score
Exploits0References12
Drupal
Drupal
•added 2014/04/02 12:0 a.m.•21 views

SA-CONTRIB-2014-036 - Print - Cross Site Scripting

This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module does not sufficiently sanitize user provided input when generating the printed version of a node. This is mitigated by the fact that an attacker must have permission to create a node...

3.5CVSS6.4AI score0.01046EPSS
Exploits0References11
Drupal
Drupal
•added 2014/02/12 12:0 a.m.•21 views

SA-CONTRIB-2014-016 - Mayo Theme - XSS Vulnerability

The theme settings allow you to link to a header background file. A URL could be entered that was not properly sanitized leading to XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers issued...

4CVSS5.7AI score0.0118EPSS
Exploits0References11
Drupal
Drupal
•added 2013/09/04 12:0 a.m.•21 views

SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass

This module enables you to create polls accessible by an url with hash e.g. example.com/makemeeting/sn9028xh3398 so that anonymous users can view and vote on the poll. The module didn't sufficiently check access when a poll is accessed directly via its node url e.g. node/123. Note: a user with th...

6.4CVSS6.4AI score0.01358EPSS
Exploits0References9
Drupal
Drupal
•added 2013/08/07 12:0 a.m.•21 views

SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure

This module enables page caching for authenticated users. A separate version of each cacheable page is stored for each group of users with the same combination of roles. Users having the exact same role-combination like the superuser uid=1 might access cached pages generated with the superuser...

6.5CVSS6.3AI score0.01626EPSS
Exploits0References9
Drupal
Drupal
•added 2013/03/27 12:0 a.m.•21 views

SA-CONTRIB-2013-038 - Commons Groups - Access bypass & Privilege escalation

The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Groups module is used by the distribution to provide specific Organic Groups customizations. Versions 3.0 and earlier of the Commons Groups module is vulnerable to an access bypass an...

5CVSS6.7AI score0.02908EPSS
Exploits0References13
Drupal
Drupal
•added 2013/03/13 12:0 a.m.•21 views

SA-CONTRIB-2013-034 - Node Parameter Control - Access Bypass

This module enables you to limit the visibility of the fields on the node edit form. The module doesn't sufficiently check access before allowing users to view and edit the configuration options allowing anonymous and authenticated users the ability to view and edit the configuration options. CVE...

6.4CVSS6.2AI score0.02782EPSS
Exploits0References8
Drupal
Drupal
•added 2013/02/27 12:0 a.m.•21 views

SA-CONTRIB-2013-024 - Creative Theme - Cross Site Scripting (XSS)

Creative Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.7AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
•added 2013/02/20 12:0 a.m.•21 views

SA-CONTRIB-2013-021 - Display Suite - Cross Site Scripting (XSS)

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize user-supplied data, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

4.3CVSS5.6AI score0.01325EPSS
Exploits0References10
Drupal
Drupal
•added 2013/01/23 12:0 a.m.•21 views

SA-CONTRIB-2013-007 User Relationships - Cross Site Scripting (XSS)

The User Relationships module allows you to create multiple relationship types and maintain relationships between users in your Drupal site. The module does not sufficiently escape relationship names before display. This allows users with the correct permissions to create relationship names...

2.1CVSS6.4AI score0.01041EPSS
Exploits0References8
Drupal
Drupal
•added 2013/01/23 12:0 a.m.•21 views

SA-CONTRIB-2013-010 - Search API sorts - Cross Site Scripting (XSS)

This module enables you to sort by Search API facets. The module doesn't sufficiently filter user entered text in field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to modify field labels such as "administer taxonomy". CVE identifiers issu...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References9
Drupal
Drupal
•added 2012/11/28 12:0 a.m.•21 views

SA-CONTRIB-2012-169 - Email Field - Cross Site Scripting and Access bypass

The email module provides a field type CCK / FieldAPI for storing email addresses and a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is. Access bypa...

5.9AI score
Exploits0References10
Drupal
Drupal
•added 2012/11/28 12:0 a.m.•21 views

SA-CONTRIB-2012-172 - Zero Point - Cross Site Scripting (XSS)

Zero Point is an advanced theme which includes many options, ideal for a wide range of sites. The theme does not escape path aliases exposing a Cross site scripting XSS vulnerability in URLs. There are no mitigating factors. CVE: CVE-2012-5591 Versions affected zeropoint 6.x-1.x versions prior to...

4.3CVSS5.6AI score0.01161EPSS
Exploits0References12
Drupal
Drupal
•added 2012/11/28 12:0 a.m.•21 views

SA-CONTRIB-2012-167 - Mixpanel - Cross site scripting (XSS)

This module provides integration with the Mixpanel real-time analytics service. The module doesn't sufficiently escape the Mixpanel token when adding the tracking Javascript to the page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access...

2.1CVSS6.4AI score0.01041EPSS
Exploits0References10
Drupal
Drupal
•added 2012/11/14 12:0 a.m.•21 views

SA-CONTRIB-2012-163 - User Read-Only - Permission escalation

User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing. The module can mistakenly assign roles when performing unrelated operations against a user's account such as...

3.6CVSS6.3AI score0.01433EPSS
Exploits0References11
Drupal
Drupal
•added 2012/08/29 12:0 a.m.•21 views

SA-CONTRIB-2012-129 - Activism - Access Bypass

The Activism module is an attempt to standardize the way online advocacy tools are built in Drupal 6. It ships with and creates a "Campaign" content type which is always viewable, even when an administrator unpublishes it or otherwise restricts viewing access. CVE: Requested Versions affected...

7.1AI score
Exploits0References8
Drupal
Drupal
•added 2012/06/06 12:0 a.m.•21 views

SA-CONTRIB-2012-097 - Protest - Cross Site Scripting (XSS)

Protest allows websites to display a complete page blackout website protest. The module contains a cross site scripting XSS vulnerability as it fails to sanitize user input before display. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administe...

2.1CVSS5.4AI score0.01862EPSS
Exploits1References10
Drupal
Drupal
•added 2012/05/30 12:0 a.m.•21 views

SA-CONTRIB-2012-089 - Counter - SQL Injection (unsupported)

Counter module counts how many visitors on your website. This module provides real time counting with all data saved to the database. The module doesn't sufficiently filter user supplied text when recording visits to the database which leads to a SQL Injection vulnerability. CVE: CVE-2012-2718...

7.5CVSS7.5AI score0.01889EPSS
Exploits0References8
Drupal
Drupal
•added 2012/05/23 12:0 a.m.•21 views

SA-CONTRIB-2012-083 - Taxonomy List - Cross Site Scripting (XSS)

CVE: CVE-2012-2711 This module enables you to display the terms and optionally nodes under categories. The module doesn't sufficiently sanitize user supplied text in the taxonomy information. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create ...

2.1CVSS6.3AI score0.01659EPSS
Exploits1References12
Drupal
Drupal
•added 2012/05/16 12:0 a.m.•21 views

SA-CONTRIB-2012-082 - Zen - Cross Site Scripting

CVE: CVE-2012-2710. The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by the...

2.6CVSS5.8AI score0.01783EPSS
Exploits0References13
Drupal
Drupal
•added 2012/05/16 12:0 a.m.•21 views

SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported

Update: this module has been fixed 2014-03-21. Please go the project page and download the most current release. XSS: CVE: CVE-2012-2706 Access bypass: CVE: CVE-2012-3802 Post Affiliate Pro PAP is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application. The modu...

4.3CVSS6AI score0.01808EPSS
Exploits0References9
Drupal
Drupal
•added 2012/04/25 12:0 a.m.•21 views

SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass

CVE: CVE-2012-2303 Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces and spacesog modules part of the spaces package in some cases do not apply the...

7.5CVSS6.2AI score0.0196EPSS
Exploits1References12
Drupal
Drupal
•added 2012/04/25 12:0 a.m.•21 views

SA-CONTRIB-2012-065 - Sitedoc - Information disclosure

CVE: CVE-2012-2302 This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison. The module doesn't sufficiently verify that the saved file is protected by the Private File System. This...

5CVSS6AI score0.01663EPSS
Exploits1References10
Drupal
Drupal
•added 2012/03/28 12:0 a.m.•21 views

SA-CONTRIB-2012-052 - Node Limit Number - Cross Site Request Forgery (CSRF)

CVE: CVE-2012-2080 The Node Limit Number module enables an administrator to place limits on how many nodes may be created by each user. Node Limit Number does not protect the delete URL against Cross Site Request Forgery attacks, allowing a malicious user to trick someone with "administer node...

6.8CVSS6.4AI score0.01202EPSS
Exploits1References11
Drupal
Drupal
•added 2012/02/22 12:0 a.m.•21 views

SA-CONTRIB-2012-023 - FAQ - Cross Site Scripting

CVE: CVE-2012-1646 The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before...

4.3CVSS5.7AI score0.02388EPSS
Exploits0References10
Drupal
Drupal
•added 2012/02/15 12:0 a.m.•21 views

SA-CONTRIB-2012-021 - Organic Groups Vocab Access Bypass

CVE: CVE-2012-1644 This module enables you to have a specific vocabulary per organic group. The module doesn't sufficiently check access to vocabularies while allowing a group admin to edit the vocabularies. This vulnerability is mitigated by the fact that an attacker must have a role with the...

2.1CVSS6.3AI score0.01117EPSS
Exploits1References10
Drupal
Drupal
•added 2012/02/15 12:0 a.m.•21 views

SA-CONTRIB-2012-019 - Link checker - Access bypass

CVE: CVE-2012-1642 The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed. The module does not correctly check permission to access the site's content before displaying broken links that were found within...

5CVSS6.2AI score0.02255EPSS
Exploits0References11
Drupal
Drupal
•added 2012/01/25 12:0 a.m.•21 views

SA-CONTRIB-2012-015 - Managesite - Cross Site Scripting (XSS)

CVE: CVE-2012-1640 This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone /admin. The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have...

2.1CVSS6.3AI score0.01041EPSS
Exploits0References10
Drupal
Drupal
•added 2012/01/11 12:0 a.m.•21 views

SA-CONTRIB-2012-004 - Date - SQL injection

CVE: CVE-2012-1626 This module enables you to add and administer date fields to nodes. It includes Date Tools, that allows users to convert nodes created with the Event module into Date fields. The conversion form for Events is vulnerable to SQL injection. This vulnerability is mitigated by the...

6CVSS6.9AI score0.01105EPSS
Exploits0References10
Drupal
Drupal
•added 2011/03/02 12:0 a.m.•21 views

SA-CONTRIB-2011-012 - Spaces - Access bypass

The Spaces module makes sitewide configuration options available to be overridden by individual "spaces" on a Drupal site. Spaces provides a Views module access plugin that does not properly check its permission setting which may allow underprivileged users to visit certain pages. This...

7AI score
Exploits0References10
Drupal
Drupal
•added 2010/09/22 12:0 a.m.•21 views

SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities

The Lightbox2 module enables images to be overlaid on the current page using JavaScript. The module displays images above the page instead of within it, freeing the page design from layout constraints and keeping users on the same page. The module does not sanitize some of the user supplied data...

6.4AI score
Exploits0References12
Drupal
Drupal
•added 2010/03/24 12:0 a.m.•21 views

SA-CONTRIB-2010-030: Mime Mail - Arbitrary code execution

The Mime Mail module is an helper module providing support for MIME mails, for use by other modules. Due to improper use of the PCRE regular expression engine, users with the ability to send HTML email with the Mime Mail module were able to execute arbitrary PHP code on the server. Versions...

8AI score
Exploits0References7
Drupal
Drupal
•added 2008/01/30 12:0 a.m.•21 views

SA-2008-011 - Securesite - Access bypass

The Secure Site module provides functions for placing your site behind HTTP based authentication. The module contains a flaw that allows an attacker who is behind the same proxy as a logged in user, to access the site as if the attacker is the user. Versions affected Secure Site for Drupal 5.x an...

6.7AI score
Exploits0References5
Drupal
Drupal
•added 2006/10/18 12:0 a.m.•21 views

DRUPAL-SA-2006-025 - Drupal core - Cross site request forgeries

Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a websit...

6.9AI score
Exploits0References3
Drupal
Drupal
•added 2026/06/17 12:0 a.m.•20 views

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain...

5.4AI score0.00215EPSS
Exploits0References9
Total number of security vulnerabilities1940