1940 matches found
SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported
Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that t...
SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)
Room Reservations module enables you to manage a room reservation system. The module doesn't sufficiently sanitize the node title of "Room Reservations Category" nodes and the body of "Room Reservations Room" nodes, thereby leading to a Cross Site Scripting XSS vulnerability. This vulnerability i...
SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)
This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses. Cross Site Scripting XSS When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any...
SA-CONTRIB-2014-031 - Webform Template - Access Bypass
This module enables you to copy webform config from one node to another. The module doesn't respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform...
SA-CONTRIB-2014-026 - Mime Mail - Access bypass
The MIME Mail module allows processing of incoming MIME-encoded e-mail messages with embedded images and attachments. The default key for the authentication of incoming messages is generated from a random number. On some platforms such as Windows the maximum value of this number is only 32767 whi...
SA-CONTRIB-2014-021 - Maestro - Cross Site Scripting (XSS)
The Maestro module enables you to create complex workflows, automating business processes. The module doesn't sufficiently filter Role or Organic Group names when displaying them in the workflow details. This vulnerability is mitigated by the fact that an attacker must have a role with the...
SA-CONTRIB-2014-002 - Anonymous Posting - Cross Site Scripting (XSS)
This module allows anonymous users to fill in their contact information name, email and homepage when posting any content type including Forum Topics. This allows the submitted name to be shown instead of the usual anonymous string provided by Drupal core. The module doesn't properly sanitize the...
SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass
This module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users' payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that prevented th...
SA-CONTRIB-2013-081 - Spaces - Access bypass
This module enables you to make configuration options generally available only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces submodule, Spaces OG, doesn't properly handle deleting of organic group group spaces when the option to move t...
SA-CONTRIB-2013-068 - Entity API - Access Bypass
The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently enforce node access restrictions when checking for a user's access to view a comment associated with a particular node. The...
SA-CONTRIB-2013-029 - Business theme - Cross Site Scripting (XSS)
This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...
SA-CONTRIB-2013-027 - Professional theme - Cross Site Scripting (XSS)
This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...
SA-CONTRIB-2013-003 - RESTful Web Services - Cross site request forgery (CSRF)
This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...
SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS)
This module enables integration with the ShareThis web service to allow social bookmarking amongst your users. The module doesn't sufficiently filter JavaScript settings before outputting them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...
SA-CONTRIB-2012-140 - Inf08 - Cross Site Scripting (XSS)
Inf08 is a valid XHTML 1.0 Strict / CSS 2.1 theme ported from the free CSS template. The theme contains an arbitrary script injection vulnerability XSS due to the fact that it fails to sanitize user supplied taxonomy vocabulary names before display. This vulnerability is mitigated by the fact tha...
SA-CONTRIB-2012-116 - Subuser - Cross Site Request Forgery (CSRF) and Access Bypass
The Subuser module allows users to be given the permission to create subusers. The subusers may then be automatically assigned a role or roles. The parent user then has the ability to manage the subusers they have created. A parent user is allowed to assume the role of a subuser they created swit...
SA-CONTRIB-2012-098 - Janrain Capture - Open Redirect
This module allows for authentication through the cloud user-management platform Janrain Capture. Part of the module exposes an endpoint to re-synchronize user data between Drupal and Capture and allows for passing an optional parameter to redirect the user back to an original location. This...
SA-CONTRIB-2012-099 - Node Hierarchy - Cross Site Request Forgery (CSRF)
Node Hierarchy module allows for the creation of parent child relationships among nodes that can create a tree-like hierarchy of content. The module doesn't sufficiently confirm user intent when reordering children nodes allowing a malicious user to trick a site admin to changing the desired...
SA-CONTRIB-2012-084 - Search API - Cross Site Scripting (XSS)
CVE: CVE-2012-2712 This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input in some cases when throwing exceptions or logging errors. This enables attackers to insert arbitrary data into a page by...
SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS)
CVE: CVE-2012-2297 The Creative Commons module allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. The module did not sufficiently filter the text describing licenses. This vulnerability is mitigated by the fact that an attacker...
SA-CONTRIB-2012-032 - Block Class - Cross Site scripting
CVE: CVE-2012-1657 The block class module allows users to add classes to any block through the block's configuration interface The class names in a block were not properly filtered. Someone with the ability to modify or create blocks could inject java script that would be rendered when viewing th...
SA-CONTRIB-2012-011 - Panels - Cross Site Scripting (XSS)
CVE: CVE-2012-0914 The Panels module allows a site administrator to create customized layouts for multiple uses. The module doesn't sufficiently sanitize administrator supplied data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer pane...
SA-CONTRIB-2013-004 - Live CSS - Arbitrary Code Execution
This module enables you to save CSS and LESS files on the server via your browser. The module doesn't check that the file being saved isn't a script or executable. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer CSS". CVE identifiers...
SA-CONTRIB-2011-032 - Mail Logger - Cross Site Scripting
The Mail Logger module logs all outgoing e-mails and provides users with the "access mail logger" permission to view logged e-mails. The module does not sanitize the log output of addressee information, subject, and body, leading to a Cross-Site Scripting XSS vulnerability that may lead to a...
SA-CONTRIB-2011-034 - Display Suite - Cross Site Scripting
Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. Arrange your nodes, views, comments, user data etc. the way you want without having to work your way through dozens of template files. In certain situations, Display Suite does not...
SA-CONTRIB-2011-018 - Node Reference URL Widget - Cross Site Scripting
The Node Reference URL Widget module adds a new widget to the Node Reference field type, allowing node reference fields to be auto-populated based on a value from the URL. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS...
SA-CONTRIB-2010-092 - Advanced Book Blocks - Multiple Vulnerabilities
The Advanced Book Blocks module enables you to integrate with the API provided by the JQuery Menu module version 1.8 and higher to provide click and expand book menus with the ability to customize each block individually. The module contained Cross Site Scripting vulnerabilities which could allow...
SA-CONTRIB-2010-089 - Simplenews Content Selection - Cross Site Scripting
This module allows you to select content from your website and send a newsletter with the selected content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full...
SA-CONTRIB 2010-075 - Tagging - Cross Site Scripting
The Tagging module provides an alternative input widget and other features for taxonomy terms. The module does not properly escape user-provided content submitted to free-tagging vocabularies displayed on node previews, leading to a Cross Site Scripting XSS vulnerability. Any user with permission...
SA-CONTRIB-2010-068 - Masquerade - Cross Site Request Forgery
The masquerade module is designed as a tool for site designers and administrators, allowing a user with the right permissions to temporarily masquerade as another user. The module is vulnerable to Cross Site Request Forgeries CSRF via the masquerade/switch and masquerade/unswitch paths. Versions...
SA-CONTRIB-2010-010 - Author Contact - Cross site scripting
The Author Contact module provides a form to contact the author of the current post. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access. A user must...
SA-CONTRIB-2009-112 - Sections - Cross Site Scripting
The Sections module allows the creation of sections within a site. Each section has an installed template, theme or style attached to it. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Users who can take...
SA-CONTRIB-2009-097 - Organic Groups Vocabulary - Cross Site Scripting
The Organic Groups Vocabulary module enables a vocabulary to be restricted for use to a specific Organic Group. The module does not sanitize before outputting the group title in some cases, resulting in a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining...
SA-CONTRIB-2009-053 - Ajax Table - Multiple vulnerabilities
The Ajax Table module allows one to create AJAX-refreshable tables by supplying a few parameters. Access bypass The module lacks access checks, which makes it possible for any user to delete arbitrary users and nodes. The module contains a number of security issues. Cross site scripting The modul...
SA-CONTRIB-2009-009 Forward module can be used as a spam relay
This vulnerability allows spammers or spambots to use sites with the Forward module installed to send nearly unlimited e-mail. Due to improper use of Drupal's flood control API, it is possible for one user to send an unlimited numbers of mails using the forward module. Important note : the securi...
SA-2008-039 - Suggested terms - Cross site scripting
This module provides "suggested terms" for free-tagging Taxonomy fields based on terms already submitted. Taxonomy terms as presented in the clickable list are not properly sanitized. Users who are able to create new terms are able to insert arbitrary script code and HTML into certain edit pages...
SA-2007-030 - Drupal Core - API handling of unpublished comment.
The publication status of comments is not passed during the hookcomments API operation, causing various modules that rely on the publication status such as Organic groups, or Subscriptions to mail out unpublished comments. Versions affected Drupal 4.7.x before version 4.7.8 Drupal 5.x before...
LoginToboggan - Cross site scripting
The LoginToboggan module provides several modifications of the Drupal login system. One of the features is a block that can be enabled on the site to display the currently logged in user with a "Log out" link. If a user is able to insert JavaScript into their username, they would be able execute ...
DRUPAL-SA-2006-011 XSS Vulnerability in user module
A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. Versions affected Drupal 4.6.x versions before Drupal 4.6.9 Drupal 4.7.x versions before Drupal 4.7.3 Solution If you are running Drupal 4.6.x then upgrade to Drupal...
XSS vulnerability in webform module
It is possible for a malicious user to insert and execute XSS into webform pages, due to lack of validation on output. Versions affected All webform 4.6 and 4.7 versions prior to July 8, 2006. Drupal core is not affected. If you do not use the webform module, there is nothing you need to do...
DRUPAL-SA-2006-005 - Drupal core - SQL injection vulnerability
A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer. This problem represents a critical security vulnerability and should be patched or upgraded immediately. Versions affected - Drupal 4.6.6 and...
DRUPAL-SA-2006-001 Security bypass in menu.module
If you use menu.module to create a menu item, the page you point to will be accessible to all, even if it is an admin page. Versions affected All Drupal versions before 4.6.6. Solution If you are running Drupal 4.5.x then upgrade to Drupal 4.5.8. If you are running Drupal 4.6.x then upgrade to...
Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042
This module provides spam protection using the CleanTalk cloud service. The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The cleantalkdie and ctdie functions output the CleanTalk API response message directly into HTML without proper sanitizatio...
Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037
This module enables you to export entity date fields as iCal feeds. The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds. This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no...
Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029
This module creates permissions per node content type to control access to unpublished nodes per content type. The module does not consistently control access for unpublished translated nodes...
AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095
This module enables you to provide SEO analysis and recommendations for a given URL. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094
This module enables you to integrate Google Tag Manager GTM into your Drupal site by allowing administrators to configure and embed GTM container snippets. The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters...
Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091
This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like. The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack. This...
COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075
This module provides a format filter, which allows you to "disable" certain HTML elements e.g. remove their src attribute specified by the user. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attribute...
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064
This module provides a block to easily display a rendered node. The module doesn't check access to content before displaying it to a visitor, allowing unauthorized users to retrieve a list of labels of all nodes...