SA-CONTRIB-2010-089 - Simplenews Content Selection - Cross Site Scripting

This module allows you to select content from your website and send a newsletter with the selected content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full...

SA-CONTRIB-2010-031 - Menu Block - Cross Site Scripting (XSS)

The Menu Block module generates full or partial menu trees that are presented in configurable blocks. When partial menu trees are displayed, the block title uses the text from the partial menu tree's parent menu item. However, that text is not properly sanitized, leading to a Cross Site Scripting...

SA-CONTRIB-2009-112 - Sections - Cross Site Scripting

The Sections module allows the creation of sections within a site. Each section has an installed template, theme or style attached to it. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Users who can take...

SA-CONTRIB-2009-069 - Shared Sign On - Cross Site Scripting

The Shared Sign On module enables users to log into one Drupal site and be automatically logged into multiple related Drupal sites. The module suffers multiple vulnerabilities, including Cross Site Request Forgeries CSRF and Session fixation problem Session Fixation. This problem allows an attack...

SA-CONTRIB-2009-053 - Ajax Table - Multiple vulnerabilities

The Ajax Table module allows one to create AJAX-refreshable tables by supplying a few parameters. Access bypass The module lacks access checks, which makes it possible for any user to delete arbitrary users and nodes. The module contains a number of security issues. Cross site scripting The modul...

SA-2008-009 - Workflow - Cross site scripting

The Workflow module allows the creation and assignment of arbitrary workflows to Drupal node types. Workflow does not escape certain node properties on output. It is therefore possible to inject arbitrary HTML and script code into certain workflow messages such as those displayed on the workflow...

SA-2007-030 - Drupal Core - API handling of unpublished comment.

The publication status of comments is not passed during the hookcomments API operation, causing various modules that rely on the publication status such as Organic groups, or Subscriptions to mail out unpublished comments. Versions affected Drupal 4.7.x before version 4.7.8 Drupal 5.x before...

LoginToboggan - Cross site scripting

The LoginToboggan module provides several modifications of the Drupal login system. One of the features is a block that can be enabled on the site to display the currently logged in user with a "Log out" link. If a user is able to insert JavaScript into their username, they would be able execute ...

XSS vulnerability in webform module

It is possible for a malicious user to insert and execute XSS into webform pages, due to lack of validation on output. Versions affected All webform 4.6 and 4.7 versions prior to July 8, 2006. Drupal core is not affected. If you do not use the webform module, there is nothing you need to do...

Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093

This module enables you to access an edit page for a config page. The module doesn't sufficiently check the access permissions hookENTITYTYPEaccess wasn't taken into account. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" an...

Piwik PRO - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-058

This module enables you to add the Piwik Pro web statistics tracking system to your website. The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website. This vulnerability...

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-062

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes. A new requirements check has been added to the status report so other...

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-061

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent one time login links from bypassing TFA. This vulnerability is mitigated by the fact that an attacker must have access to an email accou...

Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012

This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery CSRF. This vulnerability is mitigated by the...

Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't have the "restrict access" flag on the "administer googletagcontainer" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicio...

Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007

This module enables you to render error pages using the Ignition package. The module disables certain Drupal core code and does not perform sufficient filtering, allowing HTML to be injected in certain situations leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated...

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001

This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site. The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the...

Smartling Connector - Less critical - Multiple vulnerabilities - SA-CONTRIB-2024-053

Smartling module allows you to translate content in Drupal 7 using the Smartling Translation Management Platform. The module includes an outdated version of the Guzzle package guzzlehttp/guzzle 6.3.3, which has known security vulnerabilities...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004

Content within Open Social can have different visibilities. It is possible for a user to create public content even when this should not be allowed. This vulnerability is mitigated by the fact that the site must have public visibility disabled on a global level...

Shorthand - Critical - Access bypass - SA-CONTRIB-2023-038

This module provides integration with Shorthand, an application which describes itself as "beautifully simple storytelling". The module does not check appropriate permissions when displaying a list of all shorthand stories...

Mailchimp - Critical - Cross Site Request Forgery - SA-CONTRIB-2023-025

This module provides integration with Mailchimp, a popular email delivery service. A route related to OAuth authentication is not protected against a Cross Site Request Forgery attack...

Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013

This module enables you to secure any page with a password. The module does not sufficiently restrict access to the page content...

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003

The Media Library Block module allows you to render a media entity in a block. The module does not properly check media access in some circumstances. This may result in unauthorized users including anonymous users seeing media items they are not authorized to access if a block containing a...

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

This module enables you to use the media library in custom forms without the Media Library Widget. The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The...

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

This module enables you to create registration entities related to nodes. The module doesn't sufficiently restrict update access to a user's own registrations. This vulnerability is mitigated by the fact that an attacker must have the "update own registration type" permission...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061

Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations. In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only secret" visibility, community groups are visible to anonymous use...

Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022

Update 2022-05-31. A past and new maintainers have created a fix and new releases which include fixes for the security issue that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by...

The Better Mega Menu - Moderately critical - Access bypass - SA-CONTRIB-2021-041

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. This module has a vulnerability whereby users can select blocks as a menu item they don't have permission to view. The vulnerability is mitigated by the fact that it can on...

Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023

This module provides a user interface that allows the implementation and use of Form modes without custom development. The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes. This vulnerability is mitigated by the fact that an...

Opigno group manager - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-019

This project is related to Opigno LMS distribution. It implements the group manager in the Opigno LMS. The module does not set X-Frame-Options and blocks ability of other modules e.g Security Kit to add them, leaving it vulnerable to Clickjacking...

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-017

This module provides a revision UI to Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions...

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013

The Webform module allows site builders to create forms. The module doesn't sufficiently prevent malicious code from being render via an options elements i.e select menu, checkboxes, radios, etc... under the scenario where the site builder allows the raw option value to be displayed. This...

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

This module enables you to create forms to collect information from users and report, analyze and distribute it by email. The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can...

Feeds JSONPath Parser - Critical - Unsupported - SA-CONTRIB-2019-083

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported Update: Feeds Jsonpat...

TableField - Moderately critical - Access bypass and Cross Site Scripting - SA-CONTRIB-2019-051

This module allows you to attach tabular data to an entity. Access bypass There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities. This vulnerability is mitigated by the fact that an attacker must ha...

Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046

In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants. This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are...

TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045

This module allows you to attach tabular data to an entity. The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection. This vulnerability is mitigated b...

AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039

This module enables you to add social media share buttons on your website to its content and pages. The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings. This vulnerability is...

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037

This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats. The module doesn't sufficiently sanitize some user input on administrative forms...

Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015

This module enables a privileged user to specify the important part of an image for the purposes of cropping. The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form. This vulnerability is mitigated by the fact that an attacker...

Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016

This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol. The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which i...

Anti-Spam by CleanTalk - Critical - Cross site scripting and SQL Injection - SA-CONTRIB-2019-010

Anti-spam module by CleanTalk to protect your Drupal sites from spambot registration and spam comments publications thru comment and contact forms. This module does not sufficiently filter submitted content in certain circumstances...

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem. The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code. This...

NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049

This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site...

Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium. The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled. This vulnerability is...

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces. The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fa...

Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066

This module provides a Facebook Like button on node pages and blocks. The module does not sufficiently sanitize output when configured to use custom css rules. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fblikebutton". CVE...

Custom Landing Page Builder - Unsupported - SA-CONTRIB-2017-050

The Custom Landing Page Builder module allows webmasters to build custom landing pages using a WYSIWYG editor while still having full control over the full layout of the page including the header, navigation, page content, footer, forms etc. The security team is marking this module unsupported...

shib_auth Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-043

This module enables you to login via Shibboleth. The module doesn't sufficiently logout the user when the shib session expires, which depending on the caching mechanism makes private data public. This vulnerability is mitigated by the fact that shibauth would have to be used in combination with a...

OAuth - Less Critical - Access Bypass - SA-CONTRIB-2017-006

This module enables you to use the OAuth 1.a protocol to authenticate requests. The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance wit...