SA-CONTRIB-2012-157 - Time Spent - Multiple Vulnerabilities - (unsupported)

The Time Spent module tracks the time a registered user spends on a site and a site's content. The module doesn't sufficiently sanitize user input. Cross site scripting, cross-site request forgery, and SQL injection vulnerabilities have all been found. Note that none of these vulnerabilities have...

SA-CONTRIB-2012-152 - Feeds - Access bypass

The feeds module enables you to import or aggregate data as nodes, users, taxonomy terms or simple database records. The module doesn't sufficiently check permissions when creating nodes on behalf of a user. This vulnerability is mitigated by the fact that an attacker must have control over the...

SA-CONTRIB-2012-148 - OG - Access Bypass

OG Organic groups enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. A group membership can be given immediately upon subscribing, or be pending - waiting for a group administrat...

SA-CONTRIB-2012-144 Fonecta verify - Cross Site Scripting (XSS)

Fonecta verify provides an interface to retrieve information from the Finnish Fonecta company information database. The module contains an arbitrary script injection vulnerability XSS due to the fact that it fails to sanitize data retrieved from an untrusted third party source. This vulnerability...

SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution

The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent. The module allows a user with the 'send scheduled newsletters'...

SA-CONTRIB-2012-126 - Hotblocks - Cross Site Scripting (XSS) and Denial of Service (DoS)

The Hotblocks module provides an enhanced GUI for administering blocks and block content that is intended to be simpler and more controllable for less privileged users than the default block administration tools. Cross Site Scripting XSS The module doesn't sufficiently sanitize the user input for...

SA-CONTRIB-2012-111 - Security Questions - Access Bypass

This module provides administrator configurable challenge questions for use during the log in and password reset processes. The module doesn't perform a proper access check, allowing a users' questions and answers to be edited by other users including anonymous users. CVE: CVE-2012-4475 Versions...

SA-CONTRIB-2012-093 - Node Embed - Access Bypass

Node Embed gives content editors an interface for selecting and embedding nodes using a WYSIWYG editor. The interface for selecting nodes is a page that had no access check, allowing users to view node titles they might not have access to. This issue only affects your site if you have unpublished...

SA-CONTRIB-2012-091 - Token Authentication - Access bypass

The Token Authentication module provides a token for use in the URL to authenticate users to a site. Under certain uncommon situations, the module may not revert a user's session properly. Depending on how tokenauth is used, this could result in subsequent requests being performed as a user with...

SA-CONTRIB-2012-086 - Amadou - Cross Site Scripting

The Amadou theme outputs additional first and last classes to the list of links to help out themers. This was being done in a way that was not secure. A Cross Site Scripting XSS vulnerability was identified in Amadou theme's themeslinks function in the template.php file, which was fixed in the...

SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass

CVE: CVE-2012-2702. This module enables you to sell product keys from an Ubercart store. Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key. Versions affected Ubercart Product Keys...

SA-CONTRIB-2012-065 - Sitedoc - Information disclosure

CVE: CVE-2012-2302 This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison. The module doesn't sufficiently verify that the saved file is protected by the Private File System. This...

SA-CONTRIB-2012-061 - Gigya - Social optimization - Cross Site Scripting (XSS)

CVE: CVE-2012-2117 The Gigya - Social optimization module provides a single API that aggregates authentication and social APIs from Facebook Connect, MySpace ID, Twitter, and OpenID webmail providers including Google, Yahoo, and AOL. The module doesn't sufficiently escape URL elements which are...

SA-CONTRIB-2012-057 - Printer, email and PDF versions - Cross Site Scripting (XSS)

CVE: CVE-2012-2084 This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently escape URL elements which are printed back to the user. Versions affected Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.15...

SA-CONTRIB-2012-046 - Bundle Copy - Arbitrary Code execution

CVE: CVE-2012-2073 Bundle copy is a replacement for the Content copy module which lives in the CCK project for Drupal 6. Besides the ability to import and export content types, taxonomy and user entities are also supported. Field groups can be exported easily as well. The module doesn't...

SA-CONTRIB-2012-052 - Node Limit Number - Cross Site Request Forgery (CSRF)

CVE: CVE-2012-2080 The Node Limit Number module enables an administrator to place limits on how many nodes may be created by each user. Node Limit Number does not protect the delete URL against Cross Site Request Forgery attacks, allowing a malicious user to trick someone with "administer node...

SA-CONTRIB-2012-022 - CDN - Information disclosure

CVE: CVE-2012-1645 The CDN module provides easy Content Delivery Network integration for Drupal sites. It alters file URLs, so that files are downloaded from a CDN instead of your web server. When running in Origin Pull mode together with the "Far Future expiration" option, the module contains a...

SA-CONTRIB-2012-010 - stickynote - Multiple vulnerabilities

CVE: CVE-2012-1636 This module enables you to add textual notes in a block to perform quality assurance of your site. Previously it did not sufficiently protect against Cross Site Scripting XSS or Cross Site Request Forgery CSRF. This vulnerability is mitigated by the fact that an attacker must...

SA-CONTRIB-2010-099 - Views Bulk Operations - Access Bypass

Views Bulk Operations augments Views by allowing bulk operations to be executed on the nodes and users displayed by a view. It does so by showing a checkbox in front of each item, and adding a select box containing operations that can be applied on the selected items. In some circumstances, a...

SA-CONTRIB-2010-069 - Case Tracker - Multiple Vulnerabilities

The Case Tracker module enables teams to track outstanding cases which need resolution by attaching a status, priority and type. Cross Site Scripting XSS The module does not sanitize some of the user-supplied data before displaying it, leading to a cross site scripting XSS vulnerability that may...

SA-CONTRIB-2009-010 Plus 1 - Cross-site request forgery

The Plus 1 module provides a voting widget for content that records votes using Ajax. The URL for voting is vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly vote for content. Versions affected Versions of Plus 1 prior to 6.x-2.6 Drupal core is not...

SA-2007-025 - Drupal core - Arbitrary code execution via installer.

The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server. An immediate workaround is the removal of the file install.php in the Drupal root directory. Versions...

Print - Access bypass

Print is a module that allows site administrators to produce a "print friendly" version of a posting. By manipulating URL arguments, authenticated and anonymous users are able to access posts that should have been restricted by a node access module such as Organic Groups, Taxonomy Access Control,...

DRUPAL-SA-2006-024 - Drupal core - Multiple cross site scripting vulnerabilities

Multiple XSS cross site scripting vulnerabilities have been discovered. A bug in input validation and lack of output validation allows HTML and script insertion on several pages. Drupal's XML parser passes unescaped data to watchdog under certain circumstances. A malicious user may execute an XSS...

SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031

This module enables you to perform SAML-protocol-based single-sign-on SSO on a Drupal site. The module doesn't sufficiently block access, leading to a authentication bypass vulnerability...

ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-031

This module enables you to define automations on your Drupal site. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability can be mitigated by disabling the "ecaui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be...

Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009

This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones. The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration...

Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062

This module for Drupal provides complete control of Email settings with Drupal and Mailjet. In certain cases the module doesn't securely pass data to PHP's unserialize function, which could result in Remote Code Execution via PHP Object Injection. This vulnerability is mitigated by the fact that ...

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-010

This module provides an alternative mean of rebuilding the Content Access table. The module doesn't sufficiently reset the state of content access when the module is uninstalled...

Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007

The Entity Delete Log module tracks the deletion of configured entity types, such as node or comments. It does not add sufficient permission to the log report page, allowing an attacker to view information from deleted entities...

GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050

This module lets you craft and expose a GraphQL schema for Drupal 9 and 10. The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability. This vulnerability is mitigated by the fact that enti...

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Entity Cache puts core entities into Drupal's cache API. A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input. The impact of this bug should be relatively minor in most configurations...

WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044

The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page. The abbrclass Twig filter can be used to bypass the Twig auto-escape feature. This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used...

Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040

The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system. Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities...

Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021

CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation. The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that t...

Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012

This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation. The module does not sufficiently sanitize some data presented in its reports. This vulnerability is mitigated by the fact that an attacker must have a role with...

Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget. Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not...

Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060

The Social Base theme is designed as a base theme for Open Social. This base theme holds has a lot of sensible defaults. It doesn't however contain much styling. We expect developers to want to change this for their own project. When content within the Open Social distribution is placed within a...

PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050

This module enables you to generate PDF versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes...

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

This module enables you to generate print versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf 2.0.0 See the library release notes for more detail:...

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page. The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

The Wingsuit module enables site builders to build UI Patterns and|or Twig Components with Storybook and use them without any mapping code in Drupal. The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration...

Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007

Updated 2022-02-02: New maintainers have volunteered for the project and created new releases which includes fixes for the security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not...

Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006

Update 2022-03-01. New maintainers have volunteered for the project and created a new release which includes fixes for the 3 security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has n...

Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046

This module enables you to create simple search pages based on Search API without the use of Views. The module doesn’t sufficiently escape all variables provided for custom templates. This vulnerability is mitigated by the fact that the default template provided by the module is not affected...

The Better Mega Menu - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-039

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. It does not sufficiently sanitize user input such that an admin with permissions to edit a menu may be able to exploit one or more Cross-Site-Scripting XSS vulnerabilities...

Entity Embed - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2021-028

This advisory addresses a similar issue to Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006. The Entity Embed module provides a filter to allow embedding entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HT...

GraphQL - Moderately critical - Information Disclosure - SA-CONTRIB-2021-013

This module lets you craft and expose a GraphQL web service API. The module does not sufficiently protect arbitrary exception and error messages thereby exposing an information disclosure vulnerability. This vulnerability is mitigated by the fact that a GraphQL server must be enabled and a data...

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

The renderkit module contains components which can transform the display of field items sent to it. Some of these components do not respect the 'access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see thos...

Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Views Bulk Operations provides enhancements to running bulk actions on views. The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to. This vulnerability is mitigated by the fact that it only occurs in the case of...