SA-CONTRIB-2014-020 - Drupal Commons - Cross Site Scripting (XSS)

Drupal Commons is a ready-to-use solution for building either internal or external communities. It provides a complete social business software solution for organizations. Drupal Commons displays an "activity stream" containing messages about actions users take on the site. In some cases, message...

SA-CONTRIB-2014-016 - Mayo Theme - XSS Vulnerability

The theme settings allow you to link to a header background file. A URL could be entered that was not properly sanitized leading to XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers issued...

SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass

This module enables you to create polls accessible by an url with hash e.g. example.com/makemeeting/sn9028xh3398 so that anonymous users can view and vote on the poll. The module didn't sufficiently check access when a poll is accessed directly via its node url e.g. node/123. Note: a user with th...

SA-CONTRIB-2013-067 - BOTCHA - Information Disclosure (potential Privilege Escalation)

BOTCHA is a highly configurable non-CAPTCHA spam protection framework. The module includes a debug mode which logs the content of submitted forms including passwords and other sensitive information. An attacker who gains access to the log i.e. dblog or syslog depending on configuration could get...

SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure

This module enables page caching for authenticated users. A separate version of each cacheable page is stored for each group of users with the same combination of roles. Users having the exact same role-combination like the superuser uid=1 might access cached pages generated with the superuser...

SA-CONTRIB-2013-015 - Manager Change for Organic Groups - Cross site scripting (XSS)

This module extends Organic Groups to allow the manager of a group to select a new manager for their group ie if they want to leave the group. The autocomplete field for selecting a new manager didn't properly filter usernames. The vulnerability is mitigated by the fact that Drupal's default...

SA-CONTRIB-2013-016 - Banckle Chat - Access bypass - Unsupported

This module enables you to chat with the visitors of your web site. The module doesn't sufficiently check access to its admin pages. This vulnerability is not mitigated. CVE identifiers issued CVE-2013-0318 Versions affected All Banckle Chat 7.x-1.x versions. Drupal core is not affected. If you d...

SA-CONTRIB-2013-014 - Drush Debian Packaging - Information Disclosure - Unsupported

This package is a tool to build debian packages from a Drupal instance. The module doesn't sufficiently protect database credentials. This vulnerability is mitigated by the fact that an attacker must have shell access to the server. CVE identifiers issued CVE-2013-0260 Versions affected All...

SA-CONTRIB-2013-001 - Search API - Cross Site Scripting

This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input when displaying errors in a view with certain backends, including the database backend. This enables attackers to create a Reflected Cross Site...

SA-CONTRIB-2012-169 - Email Field - Cross Site Scripting and Access bypass

The email module provides a field type CCK / FieldAPI for storing email addresses and a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is. Access bypa...

SA-CONTRIB-2012-168 - Services - Information Disclosure

This module enables you to access content from a remote client. The module doesn't sufficiently adhere to standard Drupal permissions and exposes users emails via the user index method. This vulnerability is mitigated by the fact that an attacker most know the path to the user resource and must b...

SA-CONTRIB-2012-167 - Mixpanel - Cross site scripting (XSS)

This module provides integration with the Mixpanel real-time analytics service. The module doesn't sufficiently escape the Mixpanel token when adding the tracking Javascript to the page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access...

SA-CONTRIB-2012-172 - Zero Point - Cross Site Scripting (XSS)

Zero Point is an advanced theme which includes many options, ideal for a wide range of sites. The theme does not escape path aliases exposing a Cross site scripting XSS vulnerability in URLs. There are no mitigating factors. CVE: CVE-2012-5591 Versions affected zeropoint 6.x-1.x versions prior to...

SA-CONTRIB-2012-161 - Webform CiviCRM Integration - Access Bypass

Webform CiviCRM integration allows you to expose contact data via Webforms. Depending on what fields you have exposed in your form, this may include personal information such as birthdate, phone number, email address, etc. Proper permission settings are important to keep this information from...

SA-CONTRIB-2012-102 - Ubercart AJAX Cart - Potential Disclosure of user Session ID

This module enables you to replace the default Ubercart shopping cart block with an AJAX-enabled one. The module includes the user's current session ID in one of its JavaScript settings keys on every page load which could be intercepted if the user's connection is not over SSL. This vulnerability...

SA-CONTRIB-2012-089 - Counter - SQL Injection (unsupported)

Counter module counts how many visitors on your website. This module provides real time counting with all data saved to the database. The module doesn't sufficiently filter user supplied text when recording visits to the database which leads to a SQL Injection vulnerability. CVE: CVE-2012-2718...

SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting

CVE: CVE-2012-2907. The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by...

SA-CONTRIB-2012-082 - Zen - Cross Site Scripting

CVE: CVE-2012-2710. The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by the...

SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported

Update: this module has been fixed 2014-03-21. Please go the project page and download the most current release. XSS: CVE: CVE-2012-2706 Access bypass: CVE: CVE-2012-3802 Post Affiliate Pro PAP is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application. The modu...

SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass

CVE: CVE-2012-2303 Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces and spacesog modules part of the spaces package in some cases do not apply the...

SA-CONTRIB-2012-055 - Fusion theme - Cross Site Scripting (XSS)

CVE: CVE-2012-2083 Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components. The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This...

SA-CONTRIB-2012-053 - Organic Groups - Access Bypass

CVE: CVE-2012-2081 Organic groups OG enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module's Views integration does not filter out information from display groups to whic...

SA-CONTRIB-2012-038 - Views Language Switcher Cross Site Scripting (XSS)

CVE: CVE-2012-2064 The Views Language Switcher module enables you to provide natively-formatted links that act as Views exposed filters for i18n content being displayed by Views. The module doesn't sufficiently filter the path output when a user manually modifies the path and makes a new request...

SA-CONTRIB-2012-033 - Read More Link - Cross Site Scripting

CVE: CVE-2012-1658 The Read More Link module allows you to move the "Read more" link from the node's links area to the end of the teaser text. A user could inject java script into pages affecting other site users. This vulnerability is mitigated by the fact that an attacker must have a role with...

SA-CONTRIB-2012-024 - MediaFront - Cross Site Scripting

CVE: CVE-2012-1647 Within the MediaFront module, there is a PHP library for handling the stand alone application of the Open Standard Media player. Within this library, both the $SESSION and $SERVER variables are handled without proper checks to make sure that no malicious code is injected within...

SA-CONTRIB-2012-020 - Faster Permissions - Access bypass

CVE: CVE-2012-1643 This module enables you to configure the permissions of a specific module on a separate page. This is especially handy for sites with a large list of permissions. The module doesn't sufficiently check for the required permissions when the provided permission administration is...

SA-CONTRIB-2012-021 - Organic Groups Vocab Access Bypass

CVE: CVE-2012-1644 This module enables you to have a specific vocabulary per organic group. The module doesn't sufficiently check access to vocabularies while allowing a group admin to edit the vocabularies. This vulnerability is mitigated by the fact that an attacker must have a role with the...

SA-CONTRIB-2012-015 - Managesite - Cross Site Scripting (XSS)

CVE: CVE-2012-1640 This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone /admin. The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have...

SA-CONTRIB-2012-004 - Date - SQL injection

CVE: CVE-2012-1626 This module enables you to add and administer date fields to nodes. It includes Date Tools, that allows users to convert nodes created with the Event module into Date fields. The conversion form for Events is vulnerable to SQL injection. This vulnerability is mitigated by the...

SA-CONTRIB-2012-001 - Registration Codes - Access bypass

CVE: CVE-2012-1623 The Registration Codes module enables site administrators to restrict registration for new accounts to only users who provide a valid registration code. The default module installation provides no access check for the registration code list, leading to a vulnerability that allo...

SA-CONTRIB-2011-020 - Taxonomy Access Control Lite (tac_lite) - Cross Site Scripting

The taclite module allows site administrators to hide nodes and taxonomy terms from users without permission to view them. The permission to view terms can be granted to a specific user, or all users with a specific role. The module doesn't sufficiently strip markup when rendering taxonomy names,...

SA-CONTRIB-2011-012 - Spaces - Access bypass

The Spaces module makes sitewide configuration options available to be overridden by individual "spaces" on a Drupal site. Spaces provides a Views module access plugin that does not properly check its permission setting which may allow underprivileged users to visit certain pages. This...

SA-CONTRIB-2010-030: Mime Mail - Arbitrary code execution

The Mime Mail module is an helper module providing support for MIME mails, for use by other modules. Due to improper use of the PCRE regular expression engine, users with the ability to send HTML email with the Mime Mail module were able to execute arbitrary PHP code on the server. Versions...

SA-2008-011 - Securesite - Access bypass

The Secure Site module provides functions for placing your site behind HTTP based authentication. The module contains a flaw that allows an attacker who is behind the same proxy as a logged in user, to access the site as if the attacker is the user. Versions affected Secure Site for Drupal 5.x an...

Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting XSS attacks. This...

EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072

This module addresses the General Data Protection Regulation GDPR and the EU Directive on Privacy and Electronic Communications. The module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page. As a result, an attacker could injec...

Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-073

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently sanitise data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability is...

Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066

This module enables you to pay for Commerce order to an environment provided and secured by the bank The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed...

Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Google Maps: Store Locator - Critical - Unsupported - SA-CONTRIB-2025-038

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Simple GTM - Critical - Unsupported - SA-CONTRIB-2025-037

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029

This module enables you to obfuscate email addresses, to avoid them being easily available to spammers. The module doesn't sufficiently sanitise input when ROT13 encoding is used. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML...

Configuration Split - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-017

This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling or disabling a split. This vulnerability is...

OAuth Client & OpenID Connect SSO | OAuth/OIDC Login - Critical - Cross Site Scripting - SA-CONTRIB-2024-067

This module enables you to authenticate users through an Identity Provider IdP or OAuth Server, allowing them to log in to your Drupal site. The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is...

Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023

This module enables you to create responsive image styles that depend on the parent element's width. The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios...

Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations...

Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045

This module enables users to log in by email address with minimal configurations. Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks...

Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations...

Iubenda Integration - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-016

The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered. The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting XSS vulnerability. Th...

Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...