Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2015/04/15 12:0 a.m.19 views

Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096

Services module enables you to expose an API to third party systems. Access bypass file upload and execution The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the "File Create" resource must be...

6CVSS6.1AI score0.01713EPSS
Exploits0References15
Drupal
Drupal
added 2015/04/01 12:0 a.m.19 views

Password Policy - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-090

The Password Policy module allows enforcing restrictions on user passwords by defining password policies. The module doesn't sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that only...

2.6CVSS6.2AI score0.01178EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/11 12:0 a.m.19 views

SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting (XSS)

Image Title module allows you to upload an image and use it as a node title. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must allowed to create/edit...

3.5CVSS6.1AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/04 12:0 a.m.19 views

SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting (XSS)

Ubercart Discount Coupons module provides discount coupons for Ubercart stores. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is mitigated by the fact that an attacker must have a...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/04 12:0 a.m.19 views

SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting (XSS) - Unsupported

Taxonomy Accordion module creates a block for each taxonomy vocabularies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user allowed to...

3.5CVSS6AI score0.00954EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.19 views

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported

The Custom Sitemap module enables you to add custom sitemaps to a site. The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL. CVE identifiers issue...

5.8CVSS6.3AI score0.00649EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/04 12:0 a.m.19 views

SA-CONTRIB-2015-036 - Public Download Count - Cross Site Scripting (XSS) - Unsupported

Public Download Count module keeps track of file download counts. The module doesn't sufficiently sanitize user supplied text in the Download counts report page thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role wit...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/07 12:0 a.m.19 views

SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF)

Log Watcher allows you to monitor your site logs in a systematic way by setting up scheduled aggregations for specific log types. The report administration links are not properly protected from CSRF. A malicious user could cause a log administrator to enable, disable, or delete a Log Watcher repo...

6.8CVSS6.2AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2014/12/17 12:0 a.m.19 views

SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS)

School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system. The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...

3.5CVSS5.7AI score0.00976EPSS
Exploits1References11
Drupal
Drupal
added 2014/12/10 12:0 a.m.19 views

SA-CONTRIB-2014-123 - Postal Code - Cross Site Scripting (XSS)

The Postal Code module enables you to implement postal code validation for several countries. The module doesn't sufficiently sanitize certain data in the admin thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

6.5AI score
Exploits0References12
Drupal
Drupal
added 2014/12/03 12:0 a.m.19 views

SA-CONTRIB-2014-116 - Webform Invitation - Cross Site Scripting (XSS)

This module enables you to create custom invitation codes for Webforms. The module failed to sanitize node titles. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Webform: Create new content", "Webform: Edit own content" and/or "Webform: Edit any...

3.5CVSS6.4AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
added 2014/04/23 12:0 a.m.19 views

SA-CONTRIB-2014-043 - Custom Search - Cross Site Scripting (XSS)

The Custom Search module alters the default search box to provide some options like in advanced search, but directly in the search box. The module doesn't sanitize taxonomy vocabulary labels before display leading to a persistent cross site scripting XSS vulnerability. This vulnerability is...

3.5CVSS5.5AI score0.01046EPSS
Exploits0References11
Drupal
Drupal
added 2014/02/26 12:0 a.m.19 views

SA-CONTRIB-2014-026 - Mime Mail - Access bypass

The MIME Mail module allows processing of incoming MIME-encoded e-mail messages with embedded images and attachments. The default key for the authentication of incoming messages is generated from a random number. On some platforms such as Windows the maximum value of this number is only 32767 whi...

7.3AI score
Exploits0References13
Drupal
Drupal
added 2014/02/12 12:0 a.m.19 views

SA-CONTRIB-2014-018 - Webform - Cross Site Scripting (XSS)

The Webform module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have the same formkey, which can only be managed by carefully crafting the webform...

3.5CVSS6.3AI score0.01095EPSS
Exploits0References14
Drupal
Drupal
added 2014/01/29 12:0 a.m.19 views

SA-CONTRIB-2014-007 - Services - Multiple access bypass vulnerabilities

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. The form API provides a method for developers to submit forms programmatically using the function drupalformsubmit. During programmatic form submissions, all access checks are deliberately...

7.1AI score
Exploits0References16
Drupal
Drupal
added 2013/11/20 12:0 a.m.19 views

SA-CONTRIB-2013-093 - Invitation - Access Bypass

The Invitation module restricts registration to users who have an invite code for running a private beta. The module provides default views that don't check access to views prior to displaying private information like usernames and email addresses. CVE identifiers issued CVE-2013-7063 Versions...

5CVSS6.3AI score0.01354EPSS
Exploits0References9
Drupal
Drupal
added 2013/09/11 12:0 a.m.19 views

SA-CONTRIB-2013-075 - Click2Sell - Multiple Vulnerabilities (XSS and CSRF)

Click2Sell is an Affiliate Marketing Network which lets you sell your products through their marketplace or on your website with buy it now buttons, and which also allows you to access hundreds of affiliates who want to sell your product for you and earn commission. Reflected Cross Site Scripting...

5.8AI score
Exploits0References7
Drupal
Drupal
added 2013/08/21 12:0 a.m.19 views

SA-CONTRIB-2013-070 - Zen - Cross Site Scripting

The Zen theme is a very popular base/starter theme. Zen doesn't sufficiently escape the breadcrumb separator field, allowing a possible XSS exploit. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers issued...

5.4CVSS5.3AI score0.01037EPSS
Exploits1References10
Drupal
Drupal
added 2013/08/14 12:0 a.m.19 views

SA-CONTRIB-2013-069 - Password Policy - XSS

This module enables you to specify a certain level of password complexity aka. "password hardening" for user passwords in Drupal by defining a password policy. When viewing and editing a password policy, the module doesn't sufficiently filter the form text field input and display for the "Passwor...

2.1CVSS6.5AI score0.00973EPSS
Exploits1References9
Drupal
Drupal
added 2013/07/10 12:0 a.m.19 views

SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)

TinyBox module uses TinyBox, a lightweight and standalone modal window script. The main purpose of this module is to provide Splash Screen/Window as simple as possible. The module doesn't filter user-supplied text prior to display. The vulnerability is mitigated by the fact that an attacker must...

2.1CVSS6.3AI score0.01089EPSS
Exploits0References11
Drupal
Drupal
added 2013/06/05 12:0 a.m.19 views

SA-CONTRIB-2013-051 - Services - Cross site request forgery (CSRF)

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. The module doesn't sufficiently verify writing requests POST, PUT, DELETE with session cookie authentication, thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

6.8CVSS6.7AI score0.00727EPSS
Exploits0References10
Drupal
Drupal
added 2013/05/29 12:0 a.m.19 views

SA-CONTRIB-2013-048 - Edit Limit - Access Bypass

Edit Limit enables you to set time and count-based limits on how and when a user can edit nodes or comments. The module doesn't sufficiently check user access when editing comments to see if the user has the necessary permissions to edit a comment outside of the limits applied by this module. Thi...

5CVSS6.3AI score0.01556EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.19 views

SA-CONTRIB-2013-029 - Business theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.01089EPSS
Exploits0References10
Drupal
Drupal
added 2013/01/09 12:0 a.m.19 views

SA-CONTRIB-2013-002 - Payment - Access Bypass

Payment enables other modules to make payments using a variety of payment processing services. The module incorrectly grants access when checking if a user can view payments, allowing a user to access the payments of other users. CVE identifiers issued CVE-2013-0182 Versions affected Payment...

5CVSS6.4AI score0.01369EPSS
Exploits0References10
Drupal
Drupal
added 2012/10/24 12:0 a.m.19 views

SA-CONTRIB-2012-157 - Time Spent - Multiple Vulnerabilities - (unsupported)

The Time Spent module tracks the time a registered user spends on a site and a site's content. The module doesn't sufficiently sanitize user input. Cross site scripting, cross-site request forgery, and SQL injection vulnerabilities have all been found. Note that none of these vulnerabilities have...

7.5CVSS7.3AI score0.0113EPSS
Exploits0References9
Drupal
Drupal
added 2012/09/26 12:0 a.m.19 views

SA-CONTRIB-2012-148 - OG - Access Bypass

OG Organic groups enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. A group membership can be given immediately upon subscribing, or be pending - waiting for a group administrat...

3.5CVSS6.4AI score0.00951EPSS
Exploits0References11
Drupal
Drupal
added 2012/09/19 12:0 a.m.19 views

SA-CONTRIB-2012-144 Fonecta verify - Cross Site Scripting (XSS)

Fonecta verify provides an interface to retrieve information from the Finnish Fonecta company information database. The module contains an arbitrary script injection vulnerability XSS due to the fact that it fails to sanitize data retrieved from an untrusted third party source. This vulnerability...

4.3CVSS6.2AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2012/08/08 12:0 a.m.19 views

SA-CONTRIB-2012-124 - Mime Mail - Access Bypass

The MIME Mail module allows users to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't perform proper access checks, allowing a user to send arbitrary e.g. the settings.php files as attachments. In the latest version users must have the "send arbitrary...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2012/07/11 12:0 a.m.19 views

SA-CONTRIB-2012-111 - Security Questions - Access Bypass

This module provides administrator configurable challenge questions for use during the log in and password reset processes. The module doesn't perform a proper access check, allowing a users' questions and answers to be edited by other users including anonymous users. CVE: CVE-2012-4475 Versions...

5CVSS6.5AI score0.01332EPSS
Exploits0References12
Drupal
Drupal
added 2012/06/13 12:0 a.m.20 views

SA-CONTRIB-2012-103 - Global Redirect - Open Redirect

This module improves SEO and usability of a site by redirecting visitors to user-friendly and search-engine-friendly URLs. The module does not sufficiently validate that a destination URL is internal to the site, allowing an attacker to disguise a malicious destination address as a query paramete...

6.3AI score
Exploits0References17
Drupal
Drupal
added 2012/06/06 12:0 a.m.19 views

SA-CONTRIB-2012-093 - Node Embed - Access Bypass

Node Embed gives content editors an interface for selecting and embedding nodes using a WYSIWYG editor. The interface for selecting nodes is a page that had no access check, allowing users to view node titles they might not have access to. This issue only affects your site if you have unpublished...

4.3CVSS6.2AI score0.02774EPSS
Exploits1References11
Drupal
Drupal
added 2012/05/16 12:0 a.m.19 views

SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass

CVE: CVE-2012-2702. This module enables you to sell product keys from an Ubercart store. Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key. Versions affected Ubercart Product Keys...

5CVSS6.4AI score0.0258EPSS
Exploits1References10
Drupal
Drupal
added 2012/05/02 12:0 a.m.19 views

SA-CONTRIB-2012-072 - cctags - Cross Site Scripting (XSS)

CVE: CVE-2012-2310 This module enables you to create "tag clouds" with taxonomy terms displayed in different sizes depending on how frequently they are used on a site. The module doesn't sufficiently filter user supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability...

3.5CVSS5.7AI score0.01046EPSS
Exploits0References11
Drupal
Drupal
added 2012/04/18 12:0 a.m.19 views

SA-CONTRIB-2012-061 - Gigya - Social optimization - Cross Site Scripting (XSS)

CVE: CVE-2012-2117 The Gigya - Social optimization module provides a single API that aggregates authentication and social APIs from Facebook Connect, MySpace ID, Twitter, and OpenID webmail providers including Google, Yahoo, and AOL. The module doesn't sufficiently escape URL elements which are...

4.3CVSS6.7AI score0.01284EPSS
Exploits0References10
Drupal
Drupal
added 2012/04/04 12:0 a.m.19 views

SA-CONTRIB-2012-057 - Printer, email and PDF versions - Cross Site Scripting (XSS)

CVE: CVE-2012-2084 This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently escape URL elements which are printed back to the user. Versions affected Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.15...

4.3CVSS6.5AI score0.02325EPSS
Exploits0References14
Drupal
Drupal
added 2012/03/28 12:0 a.m.19 views

SA-CONTRIB-2012-048 - Contact Save - Cross Site Scripting

CVE: CVE-2012-2075 This module stores in the database all messages submitted through the core contact forms, and provides a way to respond to these messages through the website. The module doesn't sufficiently filter user supplied text, leading to a cross-site scripting XSS vulnerability. This...

2.1CVSS5.6AI score0.01659EPSS
Exploits1References9
Drupal
Drupal
added 2012/03/21 12:0 a.m.19 views

SA-CONTRIB-2012-042 - Wishlist Cross Site Scripting (XSS)

CVE: CVE-2012-2069 The Wishlist Module allows users to maintain shared wishlists for special events and holidays. Impact: The module doesn't sufficiently filter user supplied text from the URL. This can be used to perform a reflected cross site scripting XSS attack. User account credentials could...

6.8CVSS5.5AI score0.00917EPSS
Exploits1References11
Drupal
Drupal
added 2012/03/07 12:0 a.m.19 views

SA-CONTRIB-2012-030 - Data - Cross Site Scripting (XSS)

CVE: CVE-2012-1654 This module enables you to create arbitrary tables in your Drupal database and manage the data in them, and also manage data in existing tables such as those created by or imported from a third-party application. The module doesn't sufficiently escape the human-readable title...

2.1CVSS6.5AI score0.01853EPSS
Exploits0References11
Drupal
Drupal
added 2012/02/29 12:0 a.m.19 views

SA-CONTRIB-2012-028 - Hierarchical Select - Cross Site Scripting (XSS)

CVE: CVE-2012-1652 The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS...

2.1CVSS5.6AI score0.01089EPSS
Exploits0References11
Drupal
Drupal
added 2012/02/15 12:0 a.m.19 views

SA-CONTRIB-2012-022 - CDN - Information disclosure

CVE: CVE-2012-1645 The CDN module provides easy Content Delivery Network integration for Drupal sites. It alters file URLs, so that files are downloaded from a CDN instead of your web server. When running in Origin Pull mode together with the "Far Future expiration" option, the module contains a...

2.6CVSS6.2AI score0.014EPSS
Exploits0References10
Drupal
Drupal
added 2012/01/17 12:0 a.m.19 views

SA-CONTRIB-2012-010 - stickynote - Multiple vulnerabilities

CVE: CVE-2012-1636 This module enables you to add textual notes in a block to perform quality assurance of your site. Previously it did not sufficiently protect against Cross Site Scripting XSS or Cross Site Request Forgery CSRF. This vulnerability is mitigated by the fact that an attacker must...

4.3CVSS5.8AI score0.00903EPSS
Exploits0References9
Drupal
Drupal
added 2011/11/09 12:0 a.m.19 views

SA-CONTRIB-2011-054 - CKEditor - Access bypass

The CKEditor module allows Drupal to replace textarea fields with the CKEditor - a visual HTML editor, sometimes called WYSIWYG editor. The module doesn't protect private files appropriately. Private files can downloaded by anyone able to guess their URL. CVE identifiers issued CVE-2011-4972...

7.5CVSS7.5AI score0.01744EPSS
Exploits0References10
Drupal
Drupal
added 2010/06/23 12:0 a.m.19 views

SA-CONTRIB-2010-069 - Case Tracker - Multiple Vulnerabilities

The Case Tracker module enables teams to track outstanding cases which need resolution by attaching a status, priority and type. Cross Site Scripting XSS The module does not sanitize some of the user-supplied data before displaying it, leading to a cross site scripting XSS vulnerability that may...

5.8AI score
Exploits0References9
Drupal
Drupal
added 2009/09/30 12:0 a.m.19 views

SA-CONTRIB-2009-069 - Shared Sign On - Cross Site Scripting

The Shared Sign On module enables users to log into one Drupal site and be automatically logged into multiple related Drupal sites. The module suffers multiple vulnerabilities, including Cross Site Request Forgeries CSRF and Session fixation problem Session Fixation. This problem allows an attack...

7AI score
Exploits0References8
Drupal
Drupal
added 2009/03/18 12:0 a.m.19 views

SA-CONTRIB-2009-010 Plus 1 - Cross-site request forgery

The Plus 1 module provides a voting widget for content that records votes using Ajax. The URL for voting is vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly vote for content. Versions affected Versions of Plus 1 prior to 6.x-2.6 Drupal core is not...

7.1AI score
Exploits0References8
Drupal
Drupal
added 2009/01/15 12:0 a.m.19 views

SA-CONTRIB-2009-004 - Notify - Privilege escalation

A user triggering the cron processing of the Notify module may end up getting logged in as another user when the Notify operations do not complete succesfully. Versions Affected Versions of Notify for Drupal 5.x prior to 5.x-1.2 Drupal core is not affected. If you do not use the Notify module,...

7.1AI score
Exploits0References3
Drupal
Drupal
added 2008/06/25 12:0 a.m.19 views

SA-2008-039 - Suggested terms - Cross site scripting

This module provides "suggested terms" for free-tagging Taxonomy fields based on terms already submitted. Taxonomy terms as presented in the clickable list are not properly sanitized. Users who are able to create new terms are able to insert arbitrary script code and HTML into certain edit pages...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2026/06/03 12:0 a.m.18 views

Commerce Core - Moderately critical - Cross site scripting - SA-CONTRIB-2026-041

The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting XSS. This vulnerability is mitigated by the fact that it only affects installations with Checkout commercecheckout enabled, and the "Comments"...

5.8AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.18 views

OpenID Connect / OAuth client - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-025

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate certain fields coming fro...

4.3CVSS5.6AI score0.00162EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.18 views

AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022

AJAX Dashboard: Entity Dashboards enables you to create configurable dashboards attached to entities which include AJAX-reloading of a main content area based on inputs from a configurable set of buttons. The module doesn't sufficiently check access on the dashboard configuration route...

6.5CVSS5.8AI score0.00243EPSS
Exploits0References1
Total number of security vulnerabilities1940