Floating Button Menu - Critical - Unsupported - SA-CONTRIB-2019-091

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Facebook Messenger Customer Chat Plugin - Critical - Access bypass - SA-CONTRIB-2019-059

The Facebook Messenger Customer Chat Plugin module enables you to add the Facebook Messenger Customer Chat Plugin to your Drupal site. The module doesn't require user permissions on the admin page...

Services - Less critical - Access bypass - SA-CONTRIB-2019-043

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The Services module has an access bypass vulnerability in its "attachfile" resource that allows users who have access to create or update nodes that include file fields to...

Back To Top - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-040

This module enables you to add a button that hovers in the bottom of your screen and allows users to smoothly scroll up the page using jQuery. The module doesn't sufficiently sanitize the code that gets printed on pages leading to a Cross Site Scripting XSS issue. This vulnerability is mitigated ...

Date Reminder - Moderately critical - Access bypass - SA-CONTRIB-2018-076

This module allows registered users to request email reminders to be sent at a specified time before an event. The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access. This can be mitigated with configuring...

Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018-071

This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label. The module doesn't sufficiently check access before displaying entity label...

Search API Solr - Moderately critical - Access bypass - SA-CONTRIB-2018-065

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leak...

Beale Street - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-048

This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is not exploitable...

Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041

The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. This vulnerability is...

Taxonomy Term Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-006

This module provides an expandable tree widget for the Taxonomy Term Reference field in Drupal 7. The module doesn't sufficiently sanitize the output of its own defined field formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission that allows t...

Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001

This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets. The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class. This vulnerability ...

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082

The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms. The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, ...

Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views refresh module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...

OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056

This module enables you to protect requests via the OAuth authentication protocol. The module doesn't sufficiently notify the Cache API to avoid caching responses under the scenario in which an authenticated user requests a resource such as unpublished node. This vulnerability is mitigated by the...

Webform Multiple file upload - Moderately Critical - Access bypass - SA-CONTRIB-2017-045

This module enables you to upload multiple files at once in a webform. The module doesn't sufficiently check access to file deletion urls. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit all or their own webform submissions. CVE identifier...

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-017

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently protect from CSRF attacks. The unflagging links do not...

Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc. The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable...

Require Login - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2016-045

This module enables you to restrict site access without using user roles or permissions. The module does not sufficiently escape some of its settings, and, in some cases, allows malicious users to bypass the protection offered by Require Login. CVE identifiers issued ACVE identifier will be...

amoCRM - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-149

This module enables you to integrate with amoCRM service using webhooks. The module does not sufficiently sanitize the logged data when malicious POST data is received. This vulnerability is mitigated by the fact that a module such "Database logging" dblog must be enabled which displays log...

Node Template - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-099

Node Template module enables you to define any node as a node template and it can be duplicated later. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "access node template" permission to delete node templates by getting their browser to make...

Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096

Services module enables you to expose an API to third party systems. Access bypass file upload and execution The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the "File Create" resource must be...

Imagefield Info - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-088

Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...

SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting (XSS) - Unsupported

Taxonomy Accordion module creates a block for each taxonomy vocabularies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user allowed to...

SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS)

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting XSS vulnerability. This...

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported

Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that t...

SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)

Room Reservations module enables you to manage a room reservation system. The module doesn't sufficiently sanitize the node title of "Room Reservations Category" nodes and the body of "Room Reservations Room" nodes, thereby leading to a Cross Site Scripting XSS vulnerability. This vulnerability i...

SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - Multiple vulnerabilities

This module provides integration with the Cloudwords third-party service. The module was not sanitizing node titles on certain conditions, thereby leading to a Cross Site Scripting XSS vulnerability. Also, a menu callback was not protected against CSRF. The XSS vulnerability is mitigated by the...

SA-CONTRIB-2014-120 - Piwik Web Analytics - Information disclosure

This module enables you to integrate Drupal with Piwik Web Analytics. The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on. This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an accou...

SA-CONTRIB-2014-116 - Webform Invitation - Cross Site Scripting (XSS)

This module enables you to create custom invitation codes for Webforms. The module failed to sanitize node titles. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Webform: Create new content", "Webform: Edit own content" and/or "Webform: Edit any...

SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)

This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses. Cross Site Scripting XSS When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any...

SA-CONTRIB-2014-007 - Services - Multiple access bypass vulnerabilities

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. The form API provides a method for developers to submit forms programmatically using the function drupalformsubmit. During programmatic form submissions, all access checks are deliberately...

SA-CONTRIB-2013-093 - Invitation - Access Bypass

The Invitation module restricts registration to users who have an invite code for running a private beta. The module provides default views that don't check access to views prior to displaying private information like usernames and email addresses. CVE identifiers issued CVE-2013-7063 Versions...

SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass

This module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users' payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that prevented th...

SA-CONTRIB-2013-069 - Password Policy - XSS

This module enables you to specify a certain level of password complexity aka. "password hardening" for user passwords in Drupal by defining a password policy. When viewing and editing a password policy, the module doesn't sufficiently filter the form text field input and display for the "Passwor...

SA-CONTRIB-2013-052 - Display Suite - Cross Site Scripting (XSS)

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize entity bundle labels, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

SA-CONTRIB-2013-029 - Business theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

SA-CONTRIB-2013-027 - Professional theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

SA-CONTRIB-2013-003 - RESTful Web Services - Cross site request forgery (CSRF)

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

SA-CONTRIB-2013-002 - Payment - Access Bypass

Payment enables other modules to make payments using a variety of payment processing services. The module incorrectly grants access when checking if a user can view payments, allowing a user to access the payments of other users. CVE identifiers issued CVE-2013-0182 Versions affected Payment...

SA-CONTRIB-2012-156 - Search API - Cross Site Request Forgery (CSRF)

This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently guard the “enable index” action against Cross Site Request Forgery CSRF attacks which could allow an attacker to enable existing search indexes on your site. This...

SA-CONTRIB-2012-129 - Activism - Access Bypass

The Activism module is an attempt to standardize the way online advocacy tools are built in Drupal 6. It ships with and creates a "Campaign" content type which is always viewable, even when an administrator unpublishes it or otherwise restricts viewing access. CVE: Requested Versions affected...

SA-CONTRIB-2012-099 - Node Hierarchy - Cross Site Request Forgery (CSRF)

Node Hierarchy module allows for the creation of parent child relationships among nodes that can create a tree-like hierarchy of content. The module doesn't sufficiently confirm user intent when reordering children nodes allowing a malicious user to trick a site admin to changing the desired...

SA-CONTRIB-2012-098 - Janrain Capture - Open Redirect

This module allows for authentication through the cloud user-management platform Janrain Capture. Part of the module exposes an endpoint to re-synchronize user data between Drupal and Capture and allows for passing an optional parameter to redirect the user back to an original location. This...

SA-CONTRIB-2012-048 - Contact Save - Cross Site Scripting

CVE: CVE-2012-2075 This module stores in the database all messages submitted through the core contact forms, and provides a way to respond to these messages through the website. The module doesn't sufficiently filter user supplied text, leading to a cross-site scripting XSS vulnerability. This...

SA-CONTRIB-2012-042 - Wishlist Cross Site Scripting (XSS)

CVE: CVE-2012-2069 The Wishlist Module allows users to maintain shared wishlists for special events and holidays. Impact: The module doesn't sufficiently filter user supplied text from the URL. This can be used to perform a reflected cross site scripting XSS attack. User account credentials could...

SA-CONTRIB-2012-030 - Data - Cross Site Scripting (XSS)

CVE: CVE-2012-1654 This module enables you to create arbitrary tables in your Drupal database and manage the data in them, and also manage data in existing tables such as those created by or imported from a third-party application. The module doesn't sufficiently escape the human-readable title...

SA-CONTRIB-2012-028 - Hierarchical Select - Cross Site Scripting (XSS)

CVE: CVE-2012-1652 The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS...

SA-CONTRIB-2012-011 - Panels - Cross Site Scripting (XSS)

CVE: CVE-2012-0914 The Panels module allows a site administrator to create customized layouts for multiple uses. The module doesn't sufficiently sanitize administrator supplied data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer pane...

SA-CONTRIB-2011-018 - Node Reference URL Widget - Cross Site Scripting

The Node Reference URL Widget module adds a new widget to the Node Reference field type, allowing node reference fields to be auto-populated based on a value from the URL. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS...

SA-CONTRIB-2010-101 - Watcher - Multiple Vulnerabilities

The Watcher module lets users subscribe to nodes so they receive email notifications when comments are posted or nodes are changed. The Watcher module did not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability which can be used by a...