Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2024/11/20 12:0 a.m.20 views

Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062

This module for Drupal provides complete control of Email settings with Drupal and Mailjet. In certain cases the module doesn't securely pass data to PHP's unserialize function, which could result in Remote Code Execution via PHP Object Injection. This vulnerability is mitigated by the fact that ...

6.6CVSS7.9AI score0.00399EPSS
Exploits0References5
Drupal
Drupal
added 2024/05/29 12:0 a.m.20 views

Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023

This module enables you to create responsive image styles that depend on the parent element's width. The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios...

7.5CVSS7.3AI score0.00481EPSS
Exploits0References7
Drupal
Drupal
added 2024/02/28 12:0 a.m.20 views

Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup. The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...

4.8CVSS6AI score0.00218EPSS
Exploits0References7
Drupal
Drupal
added 2024/02/28 12:0 a.m.20 views

Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations...

8.8CVSS7AI score0.00193EPSS
Exploits0References7
Drupal
Drupal
added 2024/01/31 12:0 a.m.20 views

Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007

The Entity Delete Log module tracks the deletion of configured entity types, such as node or comments. It does not add sufficient permission to the log report page, allowing an attacker to view information from deleted entities...

6.5CVSS6.7AI score0.00267EPSS
Exploits0References8
Drupal
Drupal
added 2023/08/02 12:0 a.m.20 views

Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033

This module enables you to add the Matomo web statistics tracking system to your website. The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website. This vulnerability is mitigated by the fact that an attacker must...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2023/06/14 12:0 a.m.20 views

Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020

This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability...

6AI score
Exploits0References4
Drupal
Drupal
added 2023/05/31 12:0 a.m.20 views

Iubenda Integration - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-016

The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered. The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting XSS vulnerability. Th...

5.8AI score
Exploits0References5
Drupal
Drupal
added 2023/03/01 12:0 a.m.20 views

Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007

Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thundergqls module which provides a graphql interface. The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2022/12/14 12:0 a.m.20 views

File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065

The File Field Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names. The module's default configuration could temporarily expose private files to anonymous visitors. Important note: to fix...

6.4AI score
Exploits0References12
Drupal
Drupal
added 2021/09/15 12:0 a.m.20 views

Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028

This advisory addresses a similar issue to Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006. The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HT...

6.1CVSS7.5AI score0.00259EPSS
Exploits0References9
Drupal
Drupal
added 2021/07/28 12:0 a.m.20 views

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2021-024

This project enables administrators to restrict access from anonymous and regular users to pre-defined pages. The administration routes used by the project lacked proper permissions, allowing untrusted users to access, create and modify the module's settings...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2021/01/27 12:0 a.m.20 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-001

The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter. The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information ...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2021/01/27 12:0 a.m.20 views

Subgroup - Less critical - Access bypass - SA-CONTRIB-2021-003

This module enables you to add groups to other groups in a tree structure where access can be inherited up or down the tree. When you configure Subgroup to have a tree with at least three levels, users may inadvertently get permissions in a group that is an uncle or cousin of the source group,...

6.6AI score
Exploits0References6Affected Software1
Drupal
Drupal
added 2019/07/17 12:0 a.m.20 views

ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056

The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize to import image styles into another...

6.7AI score
Exploits0References8
Drupal
Drupal
added 2019/04/03 12:0 a.m.20 views

Services - Less critical - Access bypass - SA-CONTRIB-2019-043

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The Services module has an access bypass vulnerability in its "attachfile" resource that allows users who have access to create or update nodes that include file fields to...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2019/02/20 12:0 a.m.20 views

Metatag - Critical - Remote code execution - SA-CONTRIB-2019-021

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2017/11/29 12:0 a.m.20 views

MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue. The modules have an access bypass vulnerability which allows untrusted users including anonymous users to view payments made by users within the system. No data can be modified,...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2017/10/25 12:0 a.m.20 views

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

This module enables you to display any number of galleries based on images located in the files folder. The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2017/08/16 12:0 a.m.20 views

Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067

The entity reference module provides a field type that can reference arbitrary entities. In a vulnerable configuration, an attacker could determine the titles of nodes they do not have access to. This is mitigated as only entity reference fields using the "simple" entity selector are vulnerable,...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/01/11 12:0 a.m.20 views

Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc. The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable...

7.2AI score
Exploits0References14
Drupal
Drupal
added 2016/11/02 12:0 a.m.20 views

Bootstrap - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058

The Bootstrap theme enables you to integrate the Bootstrap framework with Drupal. The theme does not sufficiently filter potential user-supplied data when it's passed to certain templates can which lead to a Persistent Cross Site Scripting XSS vulnerability. CVE identifiers issued ACVE identifier...

6.2AI score
Exploits0References12
Drupal
Drupal
added 2015/09/09 12:0 a.m.20 views

Twitter - Moderately Critical - Access bypass - SA-CONTRIB-2015-146

This module enables you to pull in public tweets from Twitter accounts, post messages to Twitter to announce content changes, and authenticate using Twitter. The module doesn't sufficiently check for access when using the Twitter Post submodule to post messages to Twitter and allows a tweet to be...

3.5CVSS6.2AI score0.00981EPSS
Exploits0References22
Drupal
Drupal
added 2015/05/27 12:0 a.m.20 views

Storage API - Moderately Critical - Access Bypass - SA-CONTRIB-2015-114

The Storage API module creates an underlying agnostic storage layer for Drupal using many different underlying storage methods. Storage API can be used to create fields for entities to hold data. The module failed to restrict access to the Storage API fields attached to entities that are not node...

7.5CVSS6.4AI score0.01476EPSS
Exploits0References10
Drupal
Drupal
added 2015/04/29 12:0 a.m.20 views

Smart Trim - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102

This module implements a new field formatter for textfields text, textlong, and textwithsummary, if you want to get technical that improves upon the "Summary or Trimmed" formatter built into Drupal 7. The module doesn't sufficiently filter user input via the field settings form. This vulnerabilit...

3.5CVSS6.5AI score0.00954EPSS
Exploits0References12
Drupal
Drupal
added 2015/04/29 12:0 a.m.20 views

MailChimp - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101

The MailChimp module allows you to create and manage mailing lists via MailChimp's API. The MailChimp Signup submodule does not properly sanitize some user input, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability is...

2.1CVSS5.7AI score0.01405EPSS
Exploits0References13
Drupal
Drupal
added 2015/04/29 12:0 a.m.20 views

Views - Critical - Access Bypass - SA-CONTRIB-2015-103

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Access bypass due cache inconsistency Due to an issue in the caching mechanism of Views it's possible that configured filters lose...

5CVSS6.3AI score0.02607EPSS
Exploits1References11
Drupal
Drupal
added 2015/03/18 12:0 a.m.20 views

SA-CONTRIB-2015-078 - Webform - Cross Site Scripting (XSS)

Webform is the module for making surveys, petitions, contests, personalized contact forms, and the like in Drupal. The module doesn't sufficiently sanitize component names when components are used to determine the e-mail addresses that may be sent upon webform submission. This vulnerability is...

3.5CVSS6.3AI score0.01091EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/18 12:0 a.m.20 views

SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting (XSS)

Term Queue module allows you to create lists of taxonomy terms and display them in a block. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker...

4.3CVSS6AI score0.01773EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/11 12:0 a.m.20 views

SA-CONTRIB-2015-044 - Taxonomy Path - Cross Site Scripting (XSS)

Taxonomy Path module enables you to create custom links to taxonomy terms within a display mode. The module doesn't sufficiently sanitize user provided text in the provided "Link to path" field formatter, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by th...

3.5CVSS5.9AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/28 12:0 a.m.20 views

SA-CONTRIB-2015-030 - Amazon AWS - Access bypass

Amazon AWS module provides integration with Amazon Web Services AWS. A malicious user could potentially guess an access token and trigger the creation of new backups by making a request to a specially-crafted URL. If the number of stored backups was limited, an attacker could exceed the limit by...

5CVSS6.1AI score0.02087EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/21 12:0 a.m.20 views

SA-CONTRIB-2015-023 - Classified Ads - Cross Site Scripting (XSS)

Classified Ads module enables administrators to create classified ads in various categories. The module doesn't correctly escape the category names in its administration user interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.20 views

SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - Multiple vulnerabilities

This module provides integration with the Cloudwords third-party service. The module was not sanitizing node titles on certain conditions, thereby leading to a Cross Site Scripting XSS vulnerability. Also, a menu callback was not protected against CSRF. The XSS vulnerability is mitigated by the...

6.8CVSS5.1AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.20 views

SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF)

Todo Filter module provides an input filter to display check-boxes that can be used as a task list. Some paths were not protected against CSRF, meaning that an attacker could cause users to toggle tasks they did not intend to toggle by getting the user's browser to make a request to a...

6.8CVSS6.3AI score0.00656EPSS
Exploits0References11
Drupal
Drupal
added 2015/01/07 12:0 a.m.20 views

SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS)

Linkit provides an easy interface for internal and external linking with wysiwyg editors and fields by using an autocomplete field. The module doesn't sufficiently sanitize node titles in the result list if the node search plugin is enabled. This vulnerability is mitigated by the fact that an...

2.1CVSS6.4AI score0.0114EPSS
Exploits0References10
Drupal
Drupal
added 2014/12/10 12:0 a.m.20 views

SA-CONTRIB-2014-120 - Piwik Web Analytics - Information disclosure

This module enables you to integrate Drupal with Piwik Web Analytics. The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on. This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an accou...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2014/12/10 12:0 a.m.20 views

SA-CONTRIB-2014-121 - Godwin's Law - Cross Site Scripting (XSS)

This module enables you to execute arbitrary Javascript by adding the script to the title of a node. The module doesn't sufficiently sanitize Watchdog messages when viewing the detail view of a specific Watchdog notification. It improperly translated the message rather than using proper Watchdog...

3.5CVSS7AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/09/24 12:0 a.m.20 views

SA-CONTRIB-2014-093 - Twilio - Information Disclosure

This module enables you to easily add SMS and VOIP functionality to your website by leveraging the Twilio cloud Voip and SMS service. The module doesn't expose its own permissions for administration including viewing and editing the Twilio authentication tokens. It relies only on "access...

5.5CVSS6.6AI score0.00966EPSS
Exploits0References9
Drupal
Drupal
added 2014/02/12 12:0 a.m.20 views

SA-CONTRIB-2014-020 - Drupal Commons - Cross Site Scripting (XSS)

Drupal Commons is a ready-to-use solution for building either internal or external communities. It provides a complete social business software solution for organizations. Drupal Commons displays an "activity stream" containing messages about actions users take on the site. In some cases, message...

4.3CVSS6AI score0.01284EPSS
Exploits0References12
Drupal
Drupal
added 2014/02/05 12:0 a.m.20 views

SA-CONTRIB-2014-012- Modal Frame API - Cross Site Scripting (XSS)

This module enables provides an API to render an iframe within a modal dialog based on the jQuery UI Dialog plugin. You should not install this module unless another module requires you to, or you wish to use it for your own custom modules. The module doesn't sufficiently filter user supplied tex...

4.3CVSS6.4AI score0.01792EPSS
Exploits0References9
Drupal
Drupal
added 2014/01/22 12:0 a.m.20 views

SA-CONTRIB-2014-003 - Doubleclick for Publishers DFP - Cross Site Scripting (XSS)

This module enables you to create blocks to place advertisements from the Google Double Click for Publishers API DFP. The module doesn't sufficiently sanitize the slot names prior to output into HTML. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
added 2014/01/22 12:0 a.m.20 views

SA-CONTRIB-2014-006 - Language Switcher Dropdown - Open Redirect

The Language Switcher Dropdown module enables you to place a block with a convenient drop-down language switcher. After choosing a value the user is redirected to the url of the relevant language. The module doesn't check that the url provided is a valid internal path prior to redirecting. CVE...

5.8CVSS6.4AI score0.01191EPSS
Exploits0References10
Drupal
Drupal
added 2013/12/18 12:0 a.m.20 views

SA-CONTRIB-2013-098 - Ubercart - Session Fixation Vulnerability

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The module doesn't sufficiently protect against session fixation attacks when a user is automatically logged in to a newly created account during checkout. This vulnerability is mitigated by the fact that ...

6.8CVSS6.4AI score0.01346EPSS
Exploits0References12
Drupal
Drupal
added 2013/11/13 12:0 a.m.20 views

SA-CONTRIB-2013-092 - Misery - Denial of Service (DOS) vulnerability.

This module enables you to make life difficult for certain users, such as trolls, as an alternative to banning or deleting them from a community. The module provides means by which to punish members of your website. The aim of misery is to be not traceable by users on the misery list, so misery...

4.3CVSS6.3AI score0.01336EPSS
Exploits0References12
Drupal
Drupal
added 2013/10/30 12:0 a.m.20 views

SA-CONTRIB-2013-086 - Monster Menus - Access bypass

Monster Menus includes the ability to protect the visibility of comments for each node based on hierarchical permissions. However, a carefully-crafted URL could be used to bypass these permissions, allowing an anonymous user to view the comments associated with certain nodes. In order for this fl...

2.6CVSS6.2AI score0.01185EPSS
Exploits0References8
Drupal
Drupal
added 2013/09/18 12:0 a.m.20 views

SA-CONTRIB-2013-077 - Google Site Search - Cross Site Scripting (XSS)

This module enables you to use the Google API to search one or more sites and show the result in your Drupal site, with your custom styling. The module doesn't sufficiently sanitize the data retrieved from the Google API. This vulnerability is mitigated by the fact that an attack must come from t...

4.3CVSS6.3AI score0.01792EPSS
Exploits0References9
Drupal
Drupal
added 2013/08/14 12:0 a.m.20 views

SA-CONTRIB-2013-067 - BOTCHA - Information Disclosure (potential Privilege Escalation)

BOTCHA is a highly configurable non-CAPTCHA spam protection framework. The module includes a debug mode which logs the content of submitted forms including passwords and other sensitive information. An attacker who gains access to the log i.e. dblog or syslog depending on configuration could get...

4.3CVSS6.3AI score0.01031EPSS
Exploits0References12
Drupal
Drupal
added 2013/06/12 12:0 a.m.20 views

SA-CONTRIB-2013-052 - Display Suite - Cross Site Scripting (XSS)

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize entity bundle labels, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

4.3CVSS5.6AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2013/05/29 12:0 a.m.20 views

SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS)

The Webform module allows the creation of custom webforms and surveys. Webform module does not sanitize the labels of created components fields when displaying a list of components to be used in e-mails or downloaded CSV files. This vulnerability is mitigated by the fact that an attacker must hav...

4.3CVSS6.3AI score0.01284EPSS
Exploits0References10
Drupal
Drupal
added 2013/04/03 12:0 a.m.20 views

SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass

This module integrates the Skrill online payment services with Drupal Commerce. When processing Instant payment notifications IPN, the "Moneybookers enterprise" payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forg...

7.5CVSS7.5AI score0.01094EPSS
Exploits0References11
Total number of security vulnerabilities1940