Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2024/10/23 12:0 a.m.18 views

Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054

This module provides serialization formats for use by other modules. The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities...

6.8AI score
Exploits0References8
Drupal
Drupal
added 2024/01/24 12:0 a.m.18 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004

Content within Open Social can have different visibilities. It is possible for a user to create public content even when this should not be allowed. This vulnerability is mitigated by the fact that the site must have public visibility disabled on a global level...

7.5CVSS6.8AI score0.00368EPSS
Exploits0References7
Drupal
Drupal
added 2023/11/08 12:0 a.m.18 views

GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050

This module lets you craft and expose a GraphQL schema for Drupal 9 and 10. The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability. This vulnerability is mitigated by the fact that enti...

7AI score
Exploits0References6
Drupal
Drupal
added 2023/09/27 12:0 a.m.18 views

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Entity Cache puts core entities into Drupal's cache API. A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input. The impact of this bug should be relatively minor in most configurations...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2023/09/06 12:0 a.m.18 views

WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044

The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page. The abbrclass Twig filter can be used to bypass the Twig auto-escape feature. This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2023/08/23 12:0 a.m.18 views

Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040

The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system. Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities...

6.7AI score
Exploits0References8
Drupal
Drupal
added 2023/06/21 12:0 a.m.18 views

Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021

CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation. The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that t...

5.9AI score
Exploits0References6
Drupal
Drupal
added 2023/04/12 12:0 a.m.18 views

Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013

This module enables you to secure any page with a password. The module does not sufficiently restrict access to the page content...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2023/01/18 12:0 a.m.18 views

Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget. Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not...

6.5AI score
Exploits0References8
Drupal
Drupal
added 2022/11/30 12:0 a.m.18 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061

Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations. In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only secret" visibility, community groups are visible to anonymous use...

6.3AI score
Exploits0References9
Drupal
Drupal
added 2022/11/30 12:0 a.m.18 views

Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060

The Social Base theme is designed as a base theme for Open Social. This base theme holds has a lot of sensible defaults. It doesn't however contain much styling. We expect developers to want to change this for their own project. When content within the Open Social distribution is placed within a...

6.4AI score
Exploits0References8
Drupal
Drupal
added 2022/07/27 12:0 a.m.18 views

PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050

This module enables you to generate PDF versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes...

6.7AI score
Exploits0References8
Drupal
Drupal
added 2022/06/29 12:0 a.m.18 views

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page. The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

5.6AI score
Exploits0References5
Drupal
Drupal
added 2022/05/18 12:0 a.m.18 views

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

The Wingsuit module enables site builders to build UI Patterns and|or Twig Components with Storybook and use them without any mapping code in Drupal. The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration...

6.7AI score
Exploits0References4
Drupal
Drupal
added 2022/01/25 12:0 a.m.18 views

Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006

Update 2022-03-01. New maintainers have volunteered for the project and created a new release which includes fixes for the 3 security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has n...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2022/01/25 12:0 a.m.18 views

Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007

Updated 2022-02-02: New maintainers have volunteered for the project and created new releases which includes fixes for the security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not...

6.9AI score
Exploits0References2
Drupal
Drupal
added 2021/12/08 12:0 a.m.18 views

Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046

This module enables you to create simple search pages based on Search API without the use of Views. The module doesn’t sufficiently escape all variables provided for custom templates. This vulnerability is mitigated by the fact that the default template provided by the module is not affected...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2021/09/22 12:0 a.m.18 views

The Better Mega Menu - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-039

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. It does not sufficiently sanitize user input such that an admin with permissions to edit a menu may be able to exploit one or more Cross-Site-Scripting XSS vulnerabilities...

6.2AI score
Exploits0References9
Drupal
Drupal
added 2021/06/23 12:0 a.m.18 views

Opigno group manager - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-019

This project is related to Opigno LMS distribution. It implements the group manager in the Opigno LMS. The module does not set X-Frame-Options and blocks ability of other modules e.g Security Kit to add them, leaving it vulnerable to Clickjacking...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2021/06/16 12:0 a.m.18 views

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017

This module provides a revision UI to Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2021/06/02 12:0 a.m.18 views

GraphQL - Moderately critical - Information Disclosure - SA-CONTRIB-2021-013

This module lets you craft and expose a GraphQL web service API. The module does not sufficiently protect arbitrary exception and error messages thereby exposing an information disclosure vulnerability. This vulnerability is mitigated by the fact that a GraphQL server must be enabled and a data...

6.3AI score
Exploits0References6Affected Software1
Drupal
Drupal
added 2020/07/01 12:0 a.m.18 views

Renderkit - Less critical - Access bypass - SA-CONTRIB-2020-026

The renderkit module contains components which can transform the display of field items sent to it. Some of these components do not respect the 'access' property on the field render element, and thus can make rendered field values visible to visitors who would otherwise not be allowed to see thos...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2020/05/13 12:0 a.m.18 views

Webform - Critical - Access bypass - SA-CONTRIB-2020-018

This webform module enables you to build a 'Term checkboxes' element. The module doesn't sufficiently check term 'view' access when rendering 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term checkboxes' element...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2020/02/05 12:0 a.m.18 views

Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Views Bulk Operations provides enhancements to running bulk actions on views. The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to. This vulnerability is mitigated by the fact that it only occurs in the case of...

6.9AI score
Exploits0References7
Drupal
Drupal
added 2019/12/11 12:0 a.m.18 views

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

This module enables you to create forms to collect information from users and report, analyze and distribute it by email. The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can...

6.2AI score
Exploits0References10
Drupal
Drupal
added 2019/11/13 12:0 a.m.18 views

Nexus Theme - Critical - Unsupported - SA-CONTRIB-2019-078

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/02/13 12:0 a.m.18 views

Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015

This module enables a privileged user to specify the important part of an image for the purposes of cropping. The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form. This vulnerability is mitigated by the fact that an attacker...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2018/11/28 12:0 a.m.18 views

Date Reminder - Moderately critical - Access bypass - SA-CONTRIB-2018-076

This module allows registered users to request email reminders to be sent at a specified time before an event. The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access. This can be mitigated with configuring...

6.5AI score
Exploits0References5
Drupal
Drupal
added 2018/10/10 12:0 a.m.18 views

Search API Solr - Moderately critical - Access bypass - SA-CONTRIB-2018-065

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leak...

6.8AI score
Exploits0References7
Drupal
Drupal
added 2018/01/10 12:0 a.m.18 views

Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001

This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets. The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class. This vulnerability ...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2017/12/13 12:0 a.m.18 views

Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium. The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled. This vulnerability is...

6.5AI score
Exploits0References3
Drupal
Drupal
added 2017/10/25 12:0 a.m.18 views

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces. The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fa...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2017/08/16 12:0 a.m.18 views

Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views refresh module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...

7AI score
Exploits0References16
Drupal
Drupal
added 2017/07/05 12:0 a.m.18 views

OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056

This module enables you to protect requests via the OAuth authentication protocol. The module doesn't sufficiently notify the Cache API to avoid caching responses under the scenario in which an authenticated user requests a resource such as unpublished node. This vulnerability is mitigated by the...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/02/15 12:0 a.m.18 views

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-017

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently protect from CSRF attacks. The unflagging links do not...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2017/02/08 12:0 a.m.18 views

Storage API stream wrappers - Moderately Critical - Access bypass - SA-CONTRIB-2017-010

This module provides stream wrappers to integrate Storage API with Drupal, as an alternative to Storage API's corebridge submodule. It provides two stream wrappers: "Storage API Public" and "Storage API Private". The private storage API doesn't sufficiently performs access control allowing...

7.1AI score
Exploits0References14
Drupal
Drupal
added 2016/08/10 12:0 a.m.18 views

Require Login - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2016-045

This module enables you to restrict site access without using user roles or permissions. The module does not sufficiently escape some of its settings, and, in some cases, allows malicious users to bypass the protection offered by Require Login. CVE identifiers issued ACVE identifier will be...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/05/25 12:0 a.m.18 views

XML Sitemap - Moderately Critical - XSS - SA-CONTRIB-2016-030

The XML Sitemap module enables you to create sitemaps which help search engines to more intelligently crawl a website and keep their results up to date. The module doesn't sufficiently filter the URL when it is displayed in the sitemap. This vulnerability is mitigated if the setting for "Include ...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2016/03/16 12:0 a.m.18 views

Fast Autocomplete - Critical - DOS vulnerability - SA-CONTRIB-2016-016

This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to "cache" suggestions making the autocomplete very fast. The module doesn't sufficiently validate the incoming language parameter in the request path when a json file of the module is...

7.1AI score
Exploits0References14
Drupal
Drupal
added 2015/12/02 12:0 a.m.18 views

Token Insert Entity - Moderately Critical - Access bypass and information disclosure - SA-CONTRIB-2015-171

This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG normally the body of a node. There is a vulnerability because a user that can create or edit content and has the "insert entity token" permission can insert tokens relating to e.g. an unpublished node and all...

3.5CVSS6.4AI score0.00906EPSS
Exploits0References11
Drupal
Drupal
added 2015/10/28 12:0 a.m.18 views

Field as Block - Less Critical - Information Disclosure - SA-CONTRIB-2015-161

This module enables you to take a field from the current entity and place it elsewhere as a block. The module caches the block output in a manner that could allow sensitive content to be seen by visitors who should not see it. The problem will only occur when other modules alter field output base...

5CVSS6.2AI score0.01196EPSS
Exploits0References11
Drupal
Drupal
added 2015/09/16 12:0 a.m.18 views

amoCRM - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-149

This module enables you to integrate with amoCRM service using webhooks. The module does not sufficiently sanitize the logged data when malicious POST data is received. This vulnerability is mitigated by the fact that a module such "Database logging" dblog must be enabled which displays log...

2.6CVSS6.2AI score0.00913EPSS
Exploits0References10
Drupal
Drupal
added 2015/07/22 12:0 a.m.18 views

Time Tracker - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-135

This module enables you to track time on entities and comments. The module doesn't sufficiently filter notes added to time entries, leading to an XSS/JavaScript injection vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Add Time...

3.5CVSS6.7AI score0.01412EPSS
Exploits0References9
Drupal
Drupal
added 2015/04/22 12:0 a.m.18 views

Node Template - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-099

Node Template module enables you to define any node as a node template and it can be duplicated later. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "access node template" permission to delete node templates by getting their browser to make...

6.8CVSS6.3AI score0.00581EPSS
Exploits0References8
Drupal
Drupal
added 2015/04/01 12:0 a.m.18 views

Imagefield Info - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-088

Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...

2.1CVSS6AI score0.0096EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/04 12:0 a.m.18 views

SA-CONTRIB-2015-070 - Mover - Cross Site Scripting (XSS) - Unsupported

The Mover modules provide the ability to move content between Drupal sites. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

3.5CVSS5.9AI score0.00954EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.18 views

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported

Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that t...

5.8CVSS6.3AI score0.01076EPSS
Exploits0References8
Drupal
Drupal
added 2015/01/14 12:0 a.m.18 views

SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)

Room Reservations module enables you to manage a room reservation system. The module doesn't sufficiently sanitize the node title of "Room Reservations Category" nodes and the body of "Room Reservations Room" nodes, thereby leading to a Cross Site Scripting XSS vulnerability. This vulnerability i...

3.5CVSS5.7AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2014/09/17 12:0 a.m.18 views

SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)

This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses. Cross Site Scripting XSS When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any...

6.7AI score
Exploits0References11
Drupal
Drupal
added 2014/03/12 12:0 a.m.18 views

SA-CONTRIB-2014-031 - Webform Template - Access Bypass

This module enables you to copy webform config from one node to another. The module doesn't respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform...

6.8AI score
Exploits0References11
Total number of security vulnerabilities1940