1940 matches found
Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054
This module provides serialization formats for use by other modules. The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities...
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004
Content within Open Social can have different visibilities. It is possible for a user to create public content even when this should not be allowed. This vulnerability is mitigated by the fact that the site must have public visibility disabled on a global level...
GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050
This module lets you craft and expose a GraphQL schema for Drupal 9 and 10. The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability. This vulnerability is mitigated by the fact that enti...
Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046
Entity Cache puts core entities into Drupal's cache API. A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input. The impact of this bug should be relatively minor in most configurations...
WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044
The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page. The abbrclass Twig filter can be used to bypass the Twig auto-escape feature. This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used...
Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040
The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system. Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities...
Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021
CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation. The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that t...
Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013
This module enables you to secure any page with a password. The module does not sufficiently restrict access to the page content...
Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002
The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget. Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not...
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061
Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations. In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only secret" visibility, community groups are visible to anonymous use...
Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060
The Social Base theme is designed as a base theme for Open Social. This base theme holds has a lot of sensible defaults. It doesn't however contain much styling. We expect developers to want to change this for their own project. When content within the Open Social distribution is placed within a...
PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050
This module enables you to generate PDF versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes...
Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046
The Lottiefiles Field module enables you to integrate the lottiefiles features into your page. The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...
Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040
The Wingsuit module enables site builders to build UI Patterns and|or Twig Components with Storybook and use them without any mapping code in Drupal. The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration...
Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006
Update 2022-03-01. New maintainers have volunteered for the project and created a new release which includes fixes for the 3 security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has n...
Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007
Updated 2022-02-02: New maintainers have volunteered for the project and created new releases which includes fixes for the security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not...
Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046
This module enables you to create simple search pages based on Search API without the use of Views. The module doesn’t sufficiently escape all variables provided for custom templates. This vulnerability is mitigated by the fact that the default template provided by the module is not affected...
The Better Mega Menu - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-039
This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. It does not sufficiently sanitize user input such that an admin with permissions to edit a menu may be able to exploit one or more Cross-Site-Scripting XSS vulnerabilities...
Opigno group manager - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-019
This project is related to Opigno LMS distribution. It implements the group manager in the Opigno LMS. The module does not set X-Frame-Options and blocks ability of other modules e.g Security Kit to add them, leaving it vulnerable to Clickjacking...
Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017
This module provides a revision UI to Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions...
GraphQL - Moderately critical - Information Disclosure - SA-CONTRIB-2021-013
This module lets you craft and expose a GraphQL web service API. The module does not sufficiently protect arbitrary exception and error messages thereby exposing an information disclosure vulnerability. This vulnerability is mitigated by the fact that a GraphQL server must be enabled and a data...
Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026
The renderkit module contains components which can transform the display of field items sent to it. Some of these components do not respect the 'access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see thos...
Webform - Critical - Access bypass - SA-CONTRIB-2020-018
This webform module enables you to build a 'Term checkboxes' element. The module doesn't sufficiently check term 'view' access when rendering 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term checkboxes' element...
Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003
Views Bulk Operations provides enhancements to running bulk actions on views. The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to. This vulnerability is mitigated by the fact that it only occurs in the case of...
Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
This module enables you to create forms to collect information from users and report, analyze and distribute it by email. The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can...
Nexus Theme - Critical - Unsupported - SA-CONTRIB-2019-078
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015
This module enables a privileged user to specify the important part of an image for the purposes of cropping. The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form. This vulnerability is mitigated by the fact that an attacker...
Date Reminder - Moderately critical - Access bypass - SA-CONTRIB-2018-076
This module allows registered users to request email reminders to be sent at a specified time before an event. The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access. This can be mitigated with configuring...
Search API Solr - Moderately critical - Access bypass - SA-CONTRIB-2018-065
This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leak...
Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001
This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets. The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class. This vulnerability ...
Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093
This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium. The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled. This vulnerability is...
Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080
The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces. The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fa...
Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069
When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views refresh module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...
OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056
This module enables you to protect requests via the OAuth authentication protocol. The module doesn't sufficiently notify the Cache API to avoid caching responses under the scenario in which an authenticated user requests a resource such as unpublished node. This vulnerability is mitigated by the...
Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-017
The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently protect from CSRF attacks. The unflagging links do not...
Storage API stream wrappers - Moderately Critical - Access bypass - SA-CONTRIB-2017-010
This module provides stream wrappers to integrate Storage API with Drupal, as an alternative to Storage API's corebridge submodule. It provides two stream wrappers: "Storage API Public" and "Storage API Private". The private storage API doesn't sufficiently performs access control allowing...
Require Login - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2016-045
This module enables you to restrict site access without using user roles or permissions. The module does not sufficiently escape some of its settings, and, in some cases, allows malicious users to bypass the protection offered by Require Login. CVE identifiers issued ACVE identifier will be...
XML Sitemap - Moderately Critical - XSS - SA-CONTRIB-2016-030
The XML Sitemap module enables you to create sitemaps which help search engines to more intelligently crawl a website and keep their results up to date. The module doesn't sufficiently filter the URL when it is displayed in the sitemap. This vulnerability is mitigated if the setting for "Include ...
Fast Autocomplete - Critical - DOS vulnerability - SA-CONTRIB-2016-016
This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to "cache" suggestions making the autocomplete very fast. The module doesn't sufficiently validate the incoming language parameter in the request path when a json file of the module is...
Token Insert Entity - Moderately Critical - Access bypass and information disclosure - SA-CONTRIB-2015-171
This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG normally the body of a node. There is a vulnerability because a user that can create or edit content and has the "insert entity token" permission can insert tokens relating to e.g. an unpublished node and all...
Field as Block - Less Critical - Information Disclosure - SA-CONTRIB-2015-161
This module enables you to take a field from the current entity and place it elsewhere as a block. The module caches the block output in a manner that could allow sensitive content to be seen by visitors who should not see it. The problem will only occur when other modules alter field output base...
amoCRM - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-149
This module enables you to integrate with amoCRM service using webhooks. The module does not sufficiently sanitize the logged data when malicious POST data is received. This vulnerability is mitigated by the fact that a module such "Database logging" dblog must be enabled which displays log...
Time Tracker - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-135
This module enables you to track time on entities and comments. The module doesn't sufficiently filter notes added to time entries, leading to an XSS/JavaScript injection vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Add Time...
Node Template - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-099
Node Template module enables you to define any node as a node template and it can be duplicated later. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "access node template" permission to delete node templates by getting their browser to make...
Imagefield Info - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-088
Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...
SA-CONTRIB-2015-070 - Mover - Cross Site Scripting (XSS) - Unsupported
The Mover modules provide the ability to move content between Drupal sites. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...
SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported
Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that t...
SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)
Room Reservations module enables you to manage a room reservation system. The module doesn't sufficiently sanitize the node title of "Room Reservations Category" nodes and the body of "Room Reservations Room" nodes, thereby leading to a Cross Site Scripting XSS vulnerability. This vulnerability i...
SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)
This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses. Cross Site Scripting XSS When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any...
SA-CONTRIB-2014-031 - Webform Template - Access Bypass
This module enables you to copy webform config from one node to another. The module doesn't respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform...