Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2012/02/15 12:0 a.m.20 views

SA-CONTRIB-2012-020 - Faster Permissions - Access bypass

CVE: CVE-2012-1643 This module enables you to configure the permissions of a specific module on a separate page. This is especially handy for sites with a large list of permissions. The module doesn't sufficiently check for the required permissions when the provided permission administration is...

5CVSS6.4AI score0.01473EPSS
Exploits0References10
Drupal
Drupal
added 2012/02/15 12:0 a.m.20 views

SA-CONTRIB-2012-021 - Organic Groups Vocab Access Bypass

CVE: CVE-2012-1644 This module enables you to have a specific vocabulary per organic group. The module doesn't sufficiently check access to vocabularies while allowing a group admin to edit the vocabularies. This vulnerability is mitigated by the fact that an attacker must have a role with the...

2.1CVSS6.3AI score0.01117EPSS
Exploits1References10
Drupal
Drupal
added 2012/01/04 12:0 a.m.20 views

SA-CONTRIB-2012-001 - Registration Codes - Access bypass

CVE: CVE-2012-1623 The Registration Codes module enables site administrators to restrict registration for new accounts to only users who provide a valid registration code. The default module installation provides no access check for the registration code list, leading to a vulnerability that allo...

5CVSS6.6AI score0.01396EPSS
Exploits0References8
Drupal
Drupal
added 2011/05/11 12:0 a.m.20 views

SA-CONTRIB-2011-020 - Taxonomy Access Control Lite (tac_lite) - Cross Site Scripting

The taclite module allows site administrators to hide nodes and taxonomy terms from users without permission to view them. The permission to view terms can be granted to a specific user, or all users with a specific role. The module doesn't sufficiently strip markup when rendering taxonomy names,...

6AI score
Exploits0References11
Drupal
Drupal
added 2010/10/06 12:0 a.m.20 views

SA-CONTRIB-2010-099 - Views Bulk Operations - Access Bypass

Views Bulk Operations augments Views by allowing bulk operations to be executed on the nodes and users displayed by a view. It does so by showing a checkbox in front of each item, and adding a select box containing operations that can be applied on the selected items. In some circumstances, a...

4.9CVSS6.3AI score0.01064EPSS
Exploits0References6
Drupal
Drupal
added 2008/01/23 12:0 a.m.20 views

SA-2008-009 - Workflow - Cross site scripting

The Workflow module allows the creation and assignment of arbitrary workflows to Drupal node types. Workflow does not escape certain node properties on output. It is therefore possible to inject arbitrary HTML and script code into certain workflow messages such as those displayed on the workflow...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2007/10/17 12:0 a.m.20 views

SA-2007-025 - Drupal core - Arbitrary code execution via installer.

The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server. An immediate workaround is the removal of the file install.php in the Drupal root directory. Versions...

7.5AI score
Exploits0References3
Drupal
Drupal
added 2007/07/09 12:0 a.m.20 views

Print - Access bypass

Print is a module that allows site administrators to produce a "print friendly" version of a posting. By manipulating URL arguments, authenticated and anonymous users are able to access posts that should have been restricted by a node access module such as Organic Groups, Taxonomy Access Control,...

6.9AI score
Exploits0References4
Drupal
Drupal
added 2006/10/18 12:0 a.m.20 views

DRUPAL-SA-2006-024 - Drupal core - Multiple cross site scripting vulnerabilities

Multiple XSS cross site scripting vulnerabilities have been discovered. A bug in input validation and lack of output validation allows HTML and script insertion on several pages. Drupal's XML parser passes unescaped data to watchdog under certain circumstances. A malicious user may execute an XSS...

6.6AI score
Exploits0References4
Drupal
Drupal
added 2026/04/15 12:0 a.m.19 views

Drupal core - Critical - Cross-site scripting - SA-CORE-2026-001

Drupal core's jQuery integration for AJAX modal dialog boxes does not sufficiently sanitize certain options, which can lead to a cross-site scripting XSS vulnerability...

6.1CVSS4.9AI score0.00238EPSS
Exploits0References7
Drupal
Drupal
added 2026/03/18 12:0 a.m.19 views

Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030

This module provides a site administrator the ability to log users out after a specified time of inactivity. The module doesn't sufficiently protect its routes from cross-site request forgery CSRF, allowing the logout route to be triggered without user interaction...

4.3CVSS5.5AI score0.00109EPSS
Exploits0References1
Drupal
Drupal
added 2026/03/04 12:0 a.m.19 views

Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024

The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes. This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" or...

6.1CVSS5.8AI score0.00243EPSS
Exploits0References2
Drupal
Drupal
added 2026/01/28 12:0 a.m.19 views

Central Authentication System (CAS) Server - Less critical - XML Element Injection - SA-CONTRIB-2026-007

This module enables you to turn a Drupal install into the Central Authentication System CAS. It makes your database the primary location for other systems to use for authentication in a SSO environment. The module doesn't sufficiently sanitize user-supplied field values configured to be included ...

4.2CVSS5.6AI score0.00152EPSS
Exploits0References1
Drupal
Drupal
added 2025/05/28 12:0 a.m.19 views

EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072

This module addresses the General Data Protection Regulation GDPR and the EU Directive on Privacy and Electronic Communications. The module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page. As a result, an attacker could injec...

5CVSS7AI score0.00187EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/14 12:0 a.m.19 views

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-062

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes. A new requirements check has been added to the status report so other...

4.8CVSS7.3AI score0.00267EPSS
Exploits1References2
Drupal
Drupal
added 2025/01/29 12:0 a.m.19 views

Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009

This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones. The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration...

9.8CVSS7.5AI score0.00401EPSS
Exploits0References6
Drupal
Drupal
added 2025/01/29 12:0 a.m.19 views

Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012

This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery CSRF. This vulnerability is mitigated by the...

6.8CVSS6.9AI score0.00167EPSS
Exploits0References9
Drupal
Drupal
added 2024/11/13 12:0 a.m.19 views

POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system public, private, etc. The module doesn't sufficiently protect against Cross Site Request Forgery under allowing an attacker to trick a site user into...

3.1CVSS7AI score0.00134EPSS
Exploits0References6
Drupal
Drupal
added 2024/02/21 12:0 a.m.19 views

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-010

This module provides an alternative mean of rebuilding the Content Access table. The module doesn't sufficiently reset the state of content access when the module is uninstalled...

5.3CVSS7.1AI score0.00263EPSS
Exploits0References6
Drupal
Drupal
added 2023/07/26 12:0 a.m.19 views

Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2023/03/29 12:0 a.m.19 views

Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012

This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation. The module does not sufficiently sanitize some data presented in its reports. This vulnerability is mitigated by the fact that an attacker must have a role with...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2023/03/15 12:0 a.m.19 views

Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/03/30 12:0 a.m.19 views

Anti-Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032

This module provides integration with the CleanTalk spam protection service. The module does not properly filter data in certain circumstances. Update: 2022-03-31 - fix release node links...

6.8AI score
Exploits0References7
Drupal
Drupal
added 2021/05/12 12:0 a.m.19 views

Chaos Tool Suite (ctools) - Moderately critical - Information disclosure - SA-CONTRIB-2021-009

Chaos tool suite ctools module provides a number of APIs and extensions for Drupal, it's 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them. The module doesn't sufficiently handle access control on its EntityView...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2020/05/06 12:0 a.m.19 views

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013

The Webform module allows site builders to create forms. The module doesn't sufficiently prevent malicious code from being render via an options elements i.e select menu, checkboxes, radios, etc... under the scenario where the site builder allows the raw option value to be displayed. This...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2020/05/06 12:0 a.m.19 views

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2019/06/26 12:0 a.m.19 views

Advanced Forum - Critical - Cross Site Scripting - SA-CONTRIB-2019-054

Advanced Forum builds on and enhances Drupal's core forum module. When used in combination with other Drupal contributed modules, many of which are automatically used by Advanced Forum, you can achieve much of what stand alone software provides. The module doesn't sufficiently sanitise user input...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2019/06/19 12:0 a.m.19 views

Easy Breadcrumb - Critical - Cross Site Scripting - SA-CONTRIB-2019-053

This module enables you to use the current URL path alias and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website. The module doesn't sufficiently sanitise user input in certain circumstances. This...

5.9AI score
Exploits0References8
Drupal
Drupal
added 2018/10/31 12:0 a.m.19 views

Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018-071

This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label. The module doesn't sufficiently check access before displaying entity label...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2018/10/03 12:0 a.m.19 views

Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063

This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. It also doesn't sufficiently sanitize...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2018/07/11 12:0 a.m.19 views

Beale Street - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-048

This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is not exploitable...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2018/06/13 12:0 a.m.19 views

Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041

The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. This vulnerability is...

6.4AI score
Exploits0References9
Drupal
Drupal
added 2018/01/31 12:0 a.m.19 views

Taxonomy Term Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-006

This module provides an expandable tree widget for the Taxonomy Term Reference field in Drupal 7. The module doesn't sufficiently sanitize the output of its own defined field formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission that allows t...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2017/11/29 12:0 a.m.19 views

MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue. The modules have an access bypass vulnerability which allows untrusted users including anonymous users to view payments made by users within the system. No data can be modified,...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2017/04/12 12:0 a.m.19 views

Open Atrium - Moderately critical - Information Disclosure - SA-CONTRIB-2017-041

Open Atrium is a distribution the enables collaboration sites to be built. It contains several custom modules to provide various functionality. While content is often protected behind private groups, public content can also be shared. When using Open Atrium as an internal Intranet, this "public"...

7AI score
Exploits0References11
Drupal
Drupal
added 2017/02/08 12:0 a.m.19 views

Wetkit Omega - Moderately Critical - Access Bypass - SA-CONTRIB-2017-012

WetKit Omega 4.x is a modern, Sass and Compass enabled Drupal 7 theme powered by the Omega base theme. When using the Drupal page cache, some links intended for privileged users can get cached and displayed to users who shouldn't have access to them. This is mitigated by the fact that the...

7AI score
Exploits0References15
Drupal
Drupal
added 2017/01/11 12:0 a.m.19 views

Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc. The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable...

7.2AI score
Exploits0References14
Drupal
Drupal
added 2016/01/06 12:0 a.m.19 views

Field Group - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-001

Field Group module enables you to group fields on entity forms and entity displays. When adding a HTML element as group, the user has the option to add custom HTML attributes on the group. Via this option, a malicious user can embed scripts within the page, resulting in a Cross-site Scripting XSS...

6.1CVSS6AI score0.00619EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/16 12:0 a.m.19 views

CMS Updater - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-150

CMS Updater allows to update Drupal core automatically with a subscription service. Access bypass The module does not sufficiently protect the settings page allowing any user with the permission "access administration pages" to change settings. This vulnerability is mitigated by the fact that an...

4.9CVSS5.4AI score0.0095EPSS
Exploits0References10
Drupal
Drupal
added 2015/07/01 12:0 a.m.19 views

Migrate - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-130

This module enables you to manage migration processes through the administrative UI. The module doesn't sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by the fact that an attacker must have a role with...

2.6CVSS6AI score0.01165EPSS
Exploits0References11
Drupal
Drupal
added 2015/04/15 12:0 a.m.19 views

Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096

Services module enables you to expose an API to third party systems. Access bypass file upload and execution The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the "File Create" resource must be...

6CVSS6.1AI score0.01713EPSS
Exploits0References15
Drupal
Drupal
added 2015/04/01 12:0 a.m.19 views

Password Policy - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-090

The Password Policy module allows enforcing restrictions on user passwords by defining password policies. The module doesn't sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that only...

2.6CVSS6.2AI score0.01178EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/11 12:0 a.m.19 views

SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting (XSS)

Image Title module allows you to upload an image and use it as a node title. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must allowed to create/edit...

3.5CVSS6.1AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/04 12:0 a.m.19 views

SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting (XSS)

Ubercart Discount Coupons module provides discount coupons for Ubercart stores. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is mitigated by the fact that an attacker must have a...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/04 12:0 a.m.19 views

SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting (XSS) - Unsupported

Taxonomy Accordion module creates a block for each taxonomy vocabularies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user allowed to...

3.5CVSS6AI score0.00954EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.19 views

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported

The Custom Sitemap module enables you to add custom sitemaps to a site. The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL. CVE identifiers issue...

5.8CVSS6.3AI score0.00649EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/11 12:0 a.m.19 views

SA-CONTRIB-2015-044 - Taxonomy Path - Cross Site Scripting (XSS)

Taxonomy Path module enables you to create custom links to taxonomy terms within a display mode. The module doesn't sufficiently sanitize user provided text in the provided "Link to path" field formatter, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by th...

3.5CVSS5.9AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/04 12:0 a.m.19 views

SA-CONTRIB-2015-036 - Public Download Count - Cross Site Scripting (XSS) - Unsupported

Public Download Count module keeps track of file download counts. The module doesn't sufficiently sanitize user supplied text in the Download counts report page thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role wit...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/07 12:0 a.m.19 views

SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF)

Log Watcher allows you to monitor your site logs in a systematic way by setting up scheduled aggregations for specific log types. The report administration links are not properly protected from CSRF. A malicious user could cause a log administrator to enable, disable, or delete a Log Watcher repo...

6.8CVSS6.2AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2014/12/17 12:0 a.m.19 views

SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS)

School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system. The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...

3.5CVSS5.7AI score0.00976EPSS
Exploits1References11
Total number of security vulnerabilities1940