Anti-Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032

This module provides integration with the CleanTalk spam protection service. The module does not properly filter data in certain circumstances. Update: 2022-03-31 - fix release node links...

Chaos Tool Suite (ctools) - Moderately critical - Information disclosure - SA-CONTRIB-2021-009

Chaos tool suite ctools module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them. The module doesn't sufficiently handle access control on its EntityView...

Subgroup - Less critical - Access bypass - SA-CONTRIB-2021-003

This module enables you to add groups to other groups in a tree structure where access can be inherited up or down the tree. When you configure Subgroup to have a tree with at least three levels, users may inadvertently get permissions in a group that is an uncle or cousin of the source group,...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-001

The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter. The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information ...

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

SVG Image module allows to upload SVG files. The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file...

Nexus Theme - Critical - Unsupported - SA-CONTRIB-2019-078

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056

The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize to import image styles into another...

Easy Breadcrumb - Critical - Cross Site Scripting - SA-CONTRIB-2019-053

This module enables you to use the current URL path alias and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website. The module doesn't sufficiently sanitise user input in certain circumstances. This...

GatherContent - Moderately critical - Access bypass - SA-CONTRIB-2018-075

This module enables you to import and export data from the GatherContent service. The module didn't properly protect its administrative paths...

Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063

This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. It also doesn't sufficiently sanitize...

MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue. The modules have an access bypass vulnerability which allows untrusted users including anonymous users to view payments made by users within the system. No data can be modified,...

Open Atrium - Moderately critical - Information Disclosure - SA-CONTRIB-2017-041

Open Atrium is a distribution the enables collaboration sites to be built. It contains several custom modules to provide various functionality. While content is often protected behind private groups, public content can also be shared. When using Open Atrium as an internal Intranet, this "public"...

Wetkit Omega - Moderately Critical - Access Bypass - SA-CONTRIB-2017-012

WetKit Omega 4.x is a modern, Sass and Compass enabled Drupal 7 theme powered by the Omega base theme. When using the Drupal page cache, some links intended for privileged users can get cached and displayed to users who shouldn't have access to them. This is mitigated by the fact that the...

Field Group - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-001

Field Group module enables you to group fields on entity forms and entity displays. When adding a HTML element as group, the user has the option to add custom HTML attributes on the group. Via this option, a malicious user can embed scripts within the page, resulting in a Cross-site Scripting XSS...

Colorbox - Access bypass - Less Critical - SA-CONTRIB-2015-156

This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal. The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site. This vulnerability is mitigated by the fac...

Twitter - Moderately Critical - Access bypass - SA-CONTRIB-2015-146

This module enables you to pull in public tweets from Twitter accounts, post messages to Twitter to announce content changes, and authenticate using Twitter. The module doesn't sufficiently check for access when using the Twitter Post submodule to post messages to Twitter and allows a tweet to be...

Migrate - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-130

This module enables you to manage migration processes through the administrative UI. The module doesn't sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by the fact that an attacker must have a role with...

MailChimp - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101

The MailChimp module allows you to create and manage mailing lists via MailChimp's API. The MailChimp Signup submodule does not properly sanitize some user input, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability is...

EntityBulkDelete - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-089

EntityBulkDelete module allows you to delete entities in bulk using the Batch API. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must be...

SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting (XSS)

Ubercart Discount Coupons module provides discount coupons for Ubercart stores. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is mitigated by the fact that an attacker must have a...

SA-CONTRIB-2015-030 - Amazon AWS - Access bypass

Amazon AWS module provides integration with Amazon Web Services AWS. A malicious user could potentially guess an access token and trigger the creation of new backups by making a request to a specially-crafted URL. If the number of stored backups was limited, an attacker could exceed the limit by...

SA-CONTRIB-2015-023 - Classified Ads - Cross Site Scripting (XSS)

Classified Ads module enables administrators to create classified ads in various categories. The module doesn't correctly escape the category names in its administration user interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS)

Linkit provides an easy interface for internal and external linking with wysiwyg editors and fields by using an autocomplete field. The module doesn't sufficiently sanitize node titles in the result list if the node search plugin is enabled. This vulnerability is mitigated by the fact that an...

SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF)

Log Watcher allows you to monitor your site logs in a systematic way by setting up scheduled aggregations for specific log types. The report administration links are not properly protected from CSRF. A malicious user could cause a log administrator to enable, disable, or delete a Log Watcher repo...

SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF)

Todo Filter module provides an input filter to display check-boxes that can be used as a task list. Some paths were not protected against CSRF, meaning that an attacker could cause users to toggle tasks they did not intend to toggle by getting the user's browser to make a request to a...

SA-CONTRIB-2014-123 - Postal Code - Cross Site Scripting (XSS)

The Postal Code module enables you to implement postal code validation for several countries. The module doesn't sufficiently sanitize certain data in the admin thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

SA-CONTRIB-2014-121 - Godwin's Law - Cross Site Scripting (XSS)

This module enables you to execute arbitrary Javascript by adding the script to the title of a node. The module doesn't sufficiently sanitize Watchdog messages when viewing the detail view of a specific Watchdog notification. It improperly translated the message rather than using proper Watchdog...

SA-CONTRIB-2014-043 - Custom Search - Cross Site Scripting (XSS)

The Custom Search module alters the default search box to provide some options like in advanced search, but directly in the search box. The module doesn't sanitize taxonomy vocabulary labels before display leading to a persistent cross site scripting XSS vulnerability. This vulnerability is...

SA-CONTRIB-2014-036 - Print - Cross Site Scripting

This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module does not sufficiently sanitize user provided input when generating the printed version of a node. This is mitigated by the fact that an attacker must have permission to create a node...

SA-CONTRIB-2014-018 - Webform - Cross Site Scripting (XSS)

The Webform module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have the same formkey, which can only be managed by carefully crafting the webform...

SA-CONTRIB-2014-012- Modal Frame API - Cross Site Scripting (XSS)

This module enables provides an API to render an iframe within a modal dialog based on the jQuery UI Dialog plugin. You should not install this module unless another module requires you to, or you wish to use it for your own custom modules. The module doesn't sufficiently filter user supplied tex...

SA-CONTRIB-2014-006 - Language Switcher Dropdown - Open Redirect

The Language Switcher Dropdown module enables you to place a block with a convenient drop-down language switcher. After choosing a value the user is redirected to the url of the relevant language. The module doesn't check that the url provided is a valid internal path prior to redirecting. CVE...

SA-CONTRIB-2014-003 - Doubleclick for Publishers DFP - Cross Site Scripting (XSS)

This module enables you to create blocks to place advertisements from the Google Double Click for Publishers API DFP. The module doesn't sufficiently sanitize the slot names prior to output into HTML. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...

SA-CONTRIB-2013-092 - Misery - Denial of Service (DOS) vulnerability.

This module enables you to make life difficult for certain users, such as trolls, as an alternative to banning or deleting them from a community. The module provides means by which to punish members of your website. The aim of misery is to be not traceable by users on the misery list, so misery...

SA-CONTRIB-2013-086 - Monster Menus - Access bypass

Monster Menus includes the ability to protect the visibility of comments for each node based on hierarchical permissions. However, a carefully-crafted URL could be used to bypass these permissions, allowing an anonymous user to view the comments associated with certain nodes. In order for this fl...

SA-CONTRIB-2013-077 - Google Site Search - Cross Site Scripting (XSS)

This module enables you to use the Google API to search one or more sites and show the result in your Drupal site, with your custom styling. The module doesn't sufficiently sanitize the data retrieved from the Google API. This vulnerability is mitigated by the fact that an attack must come from t...

SA-CONTRIB-2013-075 - Click2Sell - Multiple Vulnerabilities (XSS and CSRF)

Click2Sell is an Affiliate Marketing Network which lets you sell your products through their marketplace or on your website with buy it now buttons, and which also allows you to access hundreds of affiliates who want to sell your product for you and earn commission. Reflected Cross Site Scripting...

SA-CONTRIB-2013-070 - Zen - Cross Site Scripting

The Zen theme is a very popular base/starter theme. Zen doesn't sufficiently escape the breadcrumb separator field, allowing a possible XSS exploit. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers issued...

SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)

TinyBox module uses TinyBox, a lightweight and standalone modal window script. The main purpose of this module is to provide Splash Screen/Window as simple as possible. The module doesn't filter user-supplied text prior to display. The vulnerability is mitigated by the fact that an attacker must...

SA-CONTRIB-2013-051 - Services - Cross site request forgery (CSRF)

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. The module doesn't sufficiently verify writing requests POST, PUT, DELETE with session cookie authentication, thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

SA-CONTRIB-2013-048 - Edit Limit - Access Bypass

Edit Limit enables you to set time and count-based limits on how and when a user can edit nodes or comments. The module doesn't sufficiently check user access when editing comments to see if the user has the necessary permissions to edit a comment outside of the limits applied by this module. Thi...

SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS)

The Webform module allows the creation of custom webforms and surveys. Webform module does not sanitize the labels of created components fields when displaying a list of components to be used in e-mails or downloaded CSV files. This vulnerability is mitigated by the fact that an attacker must hav...

SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass

This module will allow you to add Time-based One-time Password Algorithm also called "Two Step Authentication" or "Multi-Factor Authentication" support to user logins. It works with Google's Authenticator app system and support most if not all OATH based HOTP/TOTP systems. Accidental removal of...

SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass

This module integrates the Skrill online payment services with Drupal Commerce. When processing Instant payment notifications IPN, the "Moneybookers enterprise" payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forg...

SA-CONTRIB-2013-024 - Creative Theme - Cross Site Scripting (XSS)

Creative Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

SA-CONTRIB-2012-157 - Time Spent - Multiple Vulnerabilities - (unsupported)

The Time Spent module tracks the time a registered user spends on a site and a site's content. The module doesn't sufficiently sanitize user input. Cross site scripting, cross-site request forgery, and SQL injection vulnerabilities have all been found. Note that none of these vulnerabilities have...

SA-CONTRIB-2012-152 - Feeds - Access bypass

The feeds module enables you to import or aggregate data as nodes, users, taxonomy terms or simple database records. The module doesn't sufficiently check permissions when creating nodes on behalf of a user. This vulnerability is mitigated by the fact that an attacker must have control over the...

SA-CONTRIB-2012-148 - OG - Access Bypass

OG Organic groups enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. A group membership can be given immediately upon subscribing, or be pending - waiting for a group administrat...

SA-CONTRIB-2012-144 Fonecta verify - Cross Site Scripting (XSS)

Fonecta verify provides an interface to retrieve information from the Finnish Fonecta company information database. The module contains an arbitrary script injection vulnerability XSS due to the fact that it fails to sanitize data retrieved from an untrusted third party source. This vulnerability...

SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution

The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent. The module allows a user with the 'send scheduled newsletters'...