Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2015/02/25 12:0 a.m.18 views

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported

Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that t...

5.8CVSS6.3AI score0.01076EPSS
Exploits0References8
Drupal
Drupal
added 2015/01/14 12:0 a.m.18 views

SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)

Room Reservations module enables you to manage a room reservation system. The module doesn't sufficiently sanitize the node title of "Room Reservations Category" nodes and the body of "Room Reservations Room" nodes, thereby leading to a Cross Site Scripting XSS vulnerability. This vulnerability i...

3.5CVSS5.7AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2014/09/17 12:0 a.m.18 views

SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)

This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses. Cross Site Scripting XSS When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any...

6.7AI score
Exploits0References11
Drupal
Drupal
added 2014/03/12 12:0 a.m.18 views

SA-CONTRIB-2014-031 - Webform Template - Access Bypass

This module enables you to copy webform config from one node to another. The module doesn't respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2014/02/26 12:0 a.m.18 views

SA-CONTRIB-2014-026 - Mime Mail - Access bypass

The MIME Mail module allows processing of incoming MIME-encoded e-mail messages with embedded images and attachments. The default key for the authentication of incoming messages is generated from a random number. On some platforms such as Windows the maximum value of this number is only 32767 whi...

7.3AI score
Exploits0References13
Drupal
Drupal
added 2014/02/19 12:0 a.m.18 views

SA-CONTRIB-2014-021 - Maestro - Cross Site Scripting (XSS)

The Maestro module enables you to create complex workflows, automating business processes. The module doesn't sufficiently filter Role or Organic Group names when displaying them in the workflow details. This vulnerability is mitigated by the fact that an attacker must have a role with the...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References12
Drupal
Drupal
added 2014/01/15 12:0 a.m.18 views

SA-CONTRIB-2014-002 - Anonymous Posting - Cross Site Scripting (XSS)

This module allows anonymous users to fill in their contact information name, email and homepage when posting any content type including Forum Topics. This allows the submitted name to be shown instead of the usual anonymous string provided by Drupal core. The module doesn't properly sanitize the...

4.3CVSS6.1AI score0.02177EPSS
Exploits0References10
Drupal
Drupal
added 2013/11/06 12:0 a.m.18 views

SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass

This module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users' payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that prevented th...

4.3CVSS6.5AI score0.01042EPSS
Exploits0References12
Drupal
Drupal
added 2013/10/23 12:0 a.m.18 views

SA-CONTRIB-2013-081 - Spaces - Access bypass

This module enables you to make configuration options generally available only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces submodule, Spaces OG, doesn't properly handle deleting of organic group group spaces when the option to move t...

2.1CVSS6.2AI score0.00946EPSS
Exploits0References8
Drupal
Drupal
added 2013/08/14 12:0 a.m.18 views

SA-CONTRIB-2013-068 - Entity API - Access Bypass

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently enforce node access restrictions when checking for a user's access to view a comment associated with a particular node. The...

4CVSS6.2AI score0.01082EPSS
Exploits0References15
Drupal
Drupal
added 2013/02/27 12:0 a.m.18 views

SA-CONTRIB-2013-029 - Business theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.01089EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/06 12:0 a.m.18 views

SA-CONTRIB-2013-027 - Professional theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/01/16 12:0 a.m.18 views

SA-CONTRIB-2013-003 - RESTful Web Services - Cross site request forgery (CSRF)

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

6.8CVSS6.3AI score0.00673EPSS
Exploits0References8
Drupal
Drupal
added 2012/10/10 12:0 a.m.18 views

SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS)

This module enables integration with the ShareThis web service to allow social bookmarking amongst your users. The module doesn't sufficiently filter JavaScript settings before outputting them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References13
Drupal
Drupal
added 2012/09/12 12:0 a.m.18 views

SA-CONTRIB-2012-140 - Inf08 - Cross Site Scripting (XSS)

Inf08 is a valid XHTML 1.0 Strict / CSS 2.1 theme ported from the free CSS template. The theme contains an arbitrary script injection vulnerability XSS due to the fact that it fails to sanitize user supplied taxonomy vocabulary names before display. This vulnerability is mitigated by the fact tha...

7AI score
Exploits0References9
Drupal
Drupal
added 2012/07/25 12:0 a.m.18 views

SA-CONTRIB-2012-116 - Subuser - Cross Site Request Forgery (CSRF) and Access Bypass

The Subuser module allows users to be given the permission to create subusers. The subusers may then be automatically assigned a role or roles. The parent user then has the ability to manage the subusers they have created. A parent user is allowed to assume the role of a subuser they created swit...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2012/06/13 12:0 a.m.18 views

SA-CONTRIB-2012-098 - Janrain Capture - Open Redirect

This module allows for authentication through the cloud user-management platform Janrain Capture. Part of the module exposes an endpoint to re-synchronize user data between Drupal and Capture and allows for passing an optional parameter to redirect the user back to an original location. This...

5.8CVSS6.8AI score0.02345EPSS
Exploits0References10
Drupal
Drupal
added 2012/06/13 12:0 a.m.18 views

SA-CONTRIB-2012-099 - Node Hierarchy - Cross Site Request Forgery (CSRF)

Node Hierarchy module allows for the creation of parent child relationships among nodes that can create a tree-like hierarchy of content. The module doesn't sufficiently confirm user intent when reordering children nodes allowing a malicious user to trick a site admin to changing the desired...

6.8CVSS6.3AI score0.01158EPSS
Exploits1References9
Drupal
Drupal
added 2012/05/23 12:0 a.m.18 views

SA-CONTRIB-2012-084 - Search API - Cross Site Scripting (XSS)

CVE: CVE-2012-2712 This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input in some cases when throwing exceptions or logging errors. This enables attackers to insert arbitrary data into a page by...

2.6CVSS6.3AI score0.02155EPSS
Exploits1References11
Drupal
Drupal
added 2012/04/25 12:0 a.m.18 views

SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS)

CVE: CVE-2012-2297 The Creative Commons module allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. The module did not sufficiently filter the text describing licenses. This vulnerability is mitigated by the fact that an attacker...

2.1CVSS6.3AI score0.01089EPSS
Exploits0References11
Drupal
Drupal
added 2012/03/07 12:0 a.m.18 views

SA-CONTRIB-2012-032 - Block Class - Cross Site scripting

CVE: CVE-2012-1657 The block class module allows users to add classes to any block through the block's configuration interface The class names in a block were not properly filtered. Someone with the ability to modify or create blocks could inject java script that would be rendered when viewing th...

2.1CVSS6.3AI score0.01607EPSS
Exploits0References10
Drupal
Drupal
added 2012/01/18 12:0 a.m.18 views

SA-CONTRIB-2012-011 - Panels - Cross Site Scripting (XSS)

CVE: CVE-2012-0914 The Panels module allows a site administrator to create customized layouts for multiple uses. The module doesn't sufficiently sanitize administrator supplied data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer pane...

4.3CVSS6.2AI score0.02361EPSS
Exploits0References10
Drupal
Drupal
added 2012/01/16 12:0 a.m.18 views

SA-CONTRIB-2013-004 - Live CSS - Arbitrary Code Execution

This module enables you to save CSS and LESS files on the server via your browser. The module doesn't check that the file being saved isn't a script or executable. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer CSS". CVE identifiers...

6CVSS6.3AI score0.01857EPSS
Exploits0References11
Drupal
Drupal
added 2011/08/03 12:0 a.m.18 views

SA-CONTRIB-2011-032 - Mail Logger - Cross Site Scripting

The Mail Logger module logs all outgoing e-mails and provides users with the "access mail logger" permission to view logged e-mails. The module does not sanitize the log output of addressee information, subject, and body, leading to a Cross-Site Scripting XSS vulnerability that may lead to a...

5.8AI score
Exploits0References12
Drupal
Drupal
added 2011/08/03 12:0 a.m.18 views

SA-CONTRIB-2011-034 - Display Suite - Cross Site Scripting

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. Arrange your nodes, views, comments, user data etc. the way you want without having to work your way through dozens of template files. In certain situations, Display Suite does not...

6.2AI score
Exploits0References10
Drupal
Drupal
added 2011/04/27 12:0 a.m.18 views

SA-CONTRIB-2011-018 - Node Reference URL Widget - Cross Site Scripting

The Node Reference URL Widget module adds a new widget to the Node Reference field type, allowing node reference fields to be auto-populated based on a value from the URL. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS...

6.1AI score
Exploits0References12
Drupal
Drupal
added 2010/09/15 12:0 a.m.18 views

SA-CONTRIB-2010-092 - Advanced Book Blocks - Multiple Vulnerabilities

The Advanced Book Blocks module enables you to integrate with the API provided by the JQuery Menu module version 1.8 and higher to provide click and expand book menus with the ability to customize each block individually. The module contained Cross Site Scripting vulnerabilities which could allow...

7AI score
Exploits0References6
Drupal
Drupal
added 2010/08/18 12:0 a.m.18 views

SA-CONTRIB-2010-089 - Simplenews Content Selection - Cross Site Scripting

This module allows you to select content from your website and send a newsletter with the selected content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2010/07/21 12:0 a.m.18 views

SA-CONTRIB 2010-075 - Tagging - Cross Site Scripting

The Tagging module provides an alternative input widget and other features for taxonomy terms. The module does not properly escape user-provided content submitted to free-tagging vocabularies displayed on node previews, leading to a Cross Site Scripting XSS vulnerability. Any user with permission...

6.3AI score
Exploits0References8
Drupal
Drupal
added 2010/06/23 12:0 a.m.18 views

SA-CONTRIB-2010-068 - Masquerade - Cross Site Request Forgery

The masquerade module is designed as a tool for site designers and administrators, allowing a user with the right permissions to temporarily masquerade as another user. The module is vulnerable to Cross Site Request Forgeries CSRF via the masquerade/switch and masquerade/unswitch paths. Versions...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2010/01/27 12:0 a.m.18 views

SA-CONTRIB-2010-010 - Author Contact - Cross site scripting

The Author Contact module provides a form to contact the author of the current post. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access. A user must...

6AI score
Exploits0References8
Drupal
Drupal
added 2009/12/16 12:0 a.m.18 views

SA-CONTRIB-2009-112 - Sections - Cross Site Scripting

The Sections module allows the creation of sections within a site. Each section has an installed template, theme or style attached to it. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Users who can take...

6.3AI score
Exploits0References7
Drupal
Drupal
added 2009/11/04 12:0 a.m.18 views

SA-CONTRIB-2009-097 - Organic Groups Vocabulary - Cross Site Scripting

The Organic Groups Vocabulary module enables a vocabulary to be restricted for use to a specific Organic Group. The module does not sanitize before outputting the group title in some cases, resulting in a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2009/08/26 12:0 a.m.18 views

SA-CONTRIB-2009-053 - Ajax Table - Multiple vulnerabilities

The Ajax Table module allows one to create AJAX-refreshable tables by supplying a few parameters. Access bypass The module lacks access checks, which makes it possible for any user to delete arbitrary users and nodes. The module contains a number of security issues. Cross site scripting The modul...

6.3AI score
Exploits0References3
Drupal
Drupal
added 2009/03/11 12:0 a.m.18 views

SA-CONTRIB-2009-009 Forward module can be used as a spam relay

This vulnerability allows spammers or spambots to use sites with the Forward module installed to send nearly unlimited e-mail. Due to improper use of Drupal's flood control API, it is possible for one user to send an unlimited numbers of mails using the forward module. Important note : the securi...

7.1AI score
Exploits0References3
Drupal
Drupal
added 2008/06/25 12:0 a.m.18 views

SA-2008-039 - Suggested terms - Cross site scripting

This module provides "suggested terms" for free-tagging Taxonomy fields based on terms already submitted. Taxonomy terms as presented in the clickable list are not properly sanitized. Users who are able to create new terms are able to insert arbitrary script code and HTML into certain edit pages...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2007/10/17 12:0 a.m.18 views

SA-2007-030 - Drupal Core - API handling of unpublished comment.

The publication status of comments is not passed during the hookcomments API operation, causing various modules that rely on the publication status such as Organic groups, or Subscriptions to mail out unpublished comments. Versions affected Drupal 4.7.x before version 4.7.8 Drupal 5.x before...

7.1AI score
Exploits0References5
Drupal
Drupal
added 2007/07/12 12:0 a.m.18 views

LoginToboggan - Cross site scripting

The LoginToboggan module provides several modifications of the Drupal login system. One of the features is a block that can be enabled on the site to display the currently logged in user with a "Log out" link. If a user is able to insert JavaScript into their username, they would be able execute ...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2006/08/02 12:0 a.m.18 views

DRUPAL-SA-2006-011 XSS Vulnerability in user module

A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. Versions affected Drupal 4.6.x versions before Drupal 4.6.9 Drupal 4.7.x versions before Drupal 4.7.3 Solution If you are running Drupal 4.6.x then upgrade to Drupal...

6.3AI score
Exploits0References3
Drupal
Drupal
added 2006/07/09 12:0 a.m.18 views

XSS vulnerability in webform module

It is possible for a malicious user to insert and execute XSS into webform pages, due to lack of validation on output. Versions affected All webform 4.6 and 4.7 versions prior to July 8, 2006. Drupal core is not affected. If you do not use the webform module, there is nothing you need to do...

6.3AI score
Exploits0References3
Drupal
Drupal
added 2006/05/18 12:0 a.m.18 views

DRUPAL-SA-2006-005 - Drupal core - SQL injection vulnerability

A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer. This problem represents a critical security vulnerability and should be patched or upgraded immediately. Versions affected - Drupal 4.6.6 and...

7.2AI score
Exploits0References5
Drupal
Drupal
added 2006/03/13 12:0 a.m.18 views

DRUPAL-SA-2006-001 Security bypass in menu.module

If you use menu.module to create a menu item, the page you point to will be accessible to all, even if it is an admin page. Versions affected All Drupal versions before 4.6.6. Solution If you are running Drupal 4.5.x then upgrade to Drupal 4.5.8. If you are running Drupal 4.6.x then upgrade to...

7AI score
Exploits0References3
Drupal
Drupal
added 2026/06/03 12:0 a.m.17 views

Anti-Spam by CleanTalk - Moderately critical - Cross site scripting - SA-CONTRIB-2026-042

This module provides spam protection using the CleanTalk cloud service. The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The cleantalkdie and ctdie functions output the CleanTalk API response message directly into HTML without proper sanitizatio...

5.9AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
added 2026/05/13 12:0 a.m.17 views

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

This module enables you to export entity date fields as iCal feeds. The module doesn't sufficiently check entity or field access or sanitize user inputs when generating iCal feeds. This vulnerability is not mitigated by any permission, the routes are accessible to all anonymous users with no...

9.8CVSS5.8AI score0.00369EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/11 12:0 a.m.17 views

Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029

This module creates permissions per node content type to control access to unpublished nodes per content type. The module does not consistently control access for unpublished translated nodes...

7.5CVSS5.8AI score0.00232EPSS
Exploits0References2
Drupal
Drupal
added 2025/08/06 12:0 a.m.17 views

AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095

This module enables you to provide SEO analysis and recommendations for a given URL. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

8.8CVSS7.1AI score0.00235EPSS
Exploits0References2
Drupal
Drupal
added 2025/07/30 12:0 a.m.17 views

GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094

This module enables you to integrate Google Tag Manager GTM into your Drupal site by allowing administrators to configure and embed GTM container snippets. The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters...

6.1CVSS6.8AI score0.00217EPSS
Exploits0References1
Drupal
Drupal
added 2025/07/16 12:0 a.m.17 views

Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091

This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like. The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack. This...

6.1CVSS6.1AI score0.00227EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/28 12:0 a.m.17 views

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075

This module provides a format filter, which allows you to "disable" certain HTML elements e.g. remove their src attribute specified by the user. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attribute...

8.6CVSS6.3AI score0.00278EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/21 12:0 a.m.17 views

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064

This module provides a block to easily display a rendered node. The module doesn't check access to content before displaying it to a visitor, allowing unauthorized users to retrieve a list of labels of all nodes...

5.3CVSS6.6AI score0.00229EPSS
Exploits0References2
Total number of security vulnerabilities1940