Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2024/12/11 12:0 a.m.17 views

Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072

This module provides a block that renders a link providing the functionality of a browser's back button. The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...

3.8CVSS6.6AI score0.00251EPSS
Exploits0References6
Drupal
Drupal
added 2024/11/20 12:0 a.m.17 views

Drupal core - Less critical - Gadget chain - SA-CORE-2024-006

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allo...

9.8CVSS6.8AI score0.00904EPSS
Exploits0References11
Drupal
Drupal
added 2024/10/23 12:0 a.m.17 views

Smartling Connector - Less critical - Multiple vulnerabilities - SA-CONTRIB-2024-053

Smartling module allows you to translate content in Drupal 7 using the Smartling Translation Management Platform. The module includes an outdated version of the Guzzle package guzzlehttp/guzzle 6.3.3, which has known security vulnerabilities...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2023/09/27 12:0 a.m.17 views

Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047

This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's contentmoderation module. The module doesn't sufficiently check access to content when sending notifications. Thi...

6.8AI score
Exploits0References9
Drupal
Drupal
added 2023/08/23 12:0 a.m.17 views

Shorthand - Critical - Access bypass - SA-CONTRIB-2023-038

This module provides integration with Shorthand, an application which describes itself as "beautifully simple storytelling". The module does not check appropriate permissions when displaying a list of all shorthand stories...

6.9AI score
Exploits0References7
Drupal
Drupal
added 2023/06/28 12:0 a.m.17 views

Mailchimp - Critical - Cross Site Request Forgery - SA-CONTRIB-2023-025

This module provides integration with Mailchimp, a popular email delivery service. A route related to OAuth authentication is not protected against a Cross Site Request Forgery attack...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2023/02/01 12:0 a.m.17 views

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places...

6.1AI score
Exploits0References4
Drupal
Drupal
added 2023/01/18 12:0 a.m.17 views

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003

The Media Library Block module allows you to render a media entity in a block. The module does not properly check media access in some circumstances. This may result in unauthorized users including anonymous users seeing media items they are not authorized to access if a block containing a...

6.3AI score
Exploits0References9
Drupal
Drupal
added 2023/01/18 12:0 a.m.17 views

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

This module enables you to use the media library in custom forms without the Media Library Widget. The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The...

6.5AI score
Exploits0References10
Drupal
Drupal
added 2022/12/07 12:0 a.m.17 views

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

This module enables you to create registration entities related to nodes. The module doesn't sufficiently restrict update access to a user's own registrations. This vulnerability is mitigated by the fact that an attacker must have the "update own registration type" permission...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2022/11/30 12:0 a.m.17 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062

Social Private Message module allows users on the platform to allow users to send private messages to each other. The module does not properly perform the correct access checks for certain operations...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2022/01/25 12:0 a.m.17 views

Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022

Update 2022-05-31. A past and new maintainers have created a fix and new releases which include fixes for the security issue that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by...

6.6AI score
Exploits0References3
Drupal
Drupal
added 2021/12/22 12:0 a.m.17 views

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047

This modules enables users to login via email address. This module does not sufficiently check user status when authenticating...

6.6AI score
Exploits0References10
Drupal
Drupal
added 2021/09/22 12:0 a.m.17 views

User hash - Moderately critical - Cache poisoning - SA-CONTRIB-2021-030

This module enables you to create an individual hash for each user. These hashes can be used for authentication instead of the user's password, e.g. for views exporters. The module doesn't sufficiently invalidate page output when the pagecache module is used. This vulnerability is mitigated by th...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2021/09/22 12:0 a.m.17 views

The Better Mega Menu - Moderately critical - Access bypass - SA-CONTRIB-2021-041

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. This module has a vulnerability whereby users can select blocks as a menu item they don't have permission to view. The vulnerability is mitigated by the fact that it can on...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2021/07/21 12:0 a.m.17 views

Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023

This module provides a user interface that allows the implementation and use of Form modes without custom development. The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes. This vulnerability is mitigated by the fact that an...

6.4AI score
Exploits0References8
Drupal
Drupal
added 2020/05/06 12:0 a.m.17 views

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-015

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label w...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2019/11/13 12:0 a.m.17 views

Feeds JSONPath Parser - Critical - Unsupported - SA-CONTRIB-2019-083

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported Update: Feeds Jsonpat...

6.9AI score
Exploits0References6
Drupal
Drupal
added 2019/09/25 12:0 a.m.17 views

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes. The vulnerability is mitigated by the fact that the submodule Permissions by...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2019/05/29 12:0 a.m.17 views

TableField - Moderately critical - Access bypass and Cross Site Scripting - SA-CONTRIB-2019-051

This module allows you to attach tabular data to an entity. Access bypass There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities. This vulnerability is mitigated by the fact that an attacker must ha...

5.8AI score
Exploits0References8
Drupal
Drupal
added 2019/05/15 12:0 a.m.17 views

Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046

In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants. This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are...

6.3AI score
Exploits0References4
Drupal
Drupal
added 2019/04/17 12:0 a.m.18 views

TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045

This module allows you to attach tabular data to an entity. The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection. This vulnerability is mitigated b...

7AI score
Exploits0References6
Drupal
Drupal
added 2019/03/20 12:0 a.m.17 views

AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039

This module enables you to add social media share buttons on your website to its content and pages. The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings. This vulnerability is...

6.1AI score
Exploits0References5
Drupal
Drupal
added 2019/03/13 12:0 a.m.17 views

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037

This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats. The module doesn't sufficiently sanitize some user input on administrative forms...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2019/02/20 12:0 a.m.17 views

Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2019/02/13 12:0 a.m.17 views

Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016

This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol. The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which i...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2019/01/23 12:0 a.m.17 views

Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004

The Preview Link module enables you to generate preview links so anonymous users can access unpublished revisions of content. The last release of the module introduced an access bypass allowing users to present invalid tokens but still access unpublished content...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2019/01/23 12:0 a.m.17 views

Anti-Spam by CleanTalk - Critical - Cross site scripting and SQL Injection - SA-CONTRIB-2019-010

Anti-spam module by CleanTalk to protect your Drupal sites from spambot registration and spam comments publications thru comment and contact forms. This module does not sufficiently filter submitted content in certain circumstances...

6.8AI score
Exploits0References7
Drupal
Drupal
added 2018/10/31 12:0 a.m.17 views

Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account. In one configuration of the module, when a user logs in with anoth...

6AI score
Exploits0References7
Drupal
Drupal
added 2018/09/26 12:0 a.m.17 views

Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062

The Commerce Klarna Checkout module enables you to accept payments from the Klarna Checkout payment provider The module doesn't sufficiently validate the payment callback made by Klarna. An attacker could bypass the payment step...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2018/08/15 12:0 a.m.17 views

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem. The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code. This...

7.3AI score
Exploits0References7
Drupal
Drupal
added 2018/07/11 12:0 a.m.17 views

NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049

This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2018/02/21 12:0 a.m.17 views

JSON:API - Moderately critical - Multiple Vulnerabilities - SA-CONTRIB-2018-015

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently associate cacheability metadata in certain situations thereby causing an access bypass vulnerability. This vulnerability is mitigated b...

6.6AI score
Exploits0References5
Drupal
Drupal
added 2018/01/24 12:0 a.m.17 views

Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004

This module enables you to create manual and scheduled backups of a site, and restore the site from backup. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. Sites using this module should review the permissions page...

6.5AI score
Exploits0References8
Drupal
Drupal
added 2017/12/06 12:0 a.m.17 views

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

This module enables you to set nodes to send feedbacks by personal/site wide contact forms. The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Us...

6.4AI score
Exploits0References7
Drupal
Drupal
added 2017/08/09 12:0 a.m.17 views

Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066

This module provides a Facebook Like button on node pages and blocks. The module does not sufficiently sanitize output when configured to use custom css rules. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fblikebutton". CVE...

7AI score
Exploits0References13
Drupal
Drupal
added 2017/05/24 12:0 a.m.17 views

Custom Landing Page Builder - Unsupported - SA-CONTRIB-2017-050

The Custom Landing Page Builder module allows webmasters to build custom landing pages using a WYSIWYG editor while still having full control over the full layout of the page including the header, navigation, page content, footer, forms etc. The security team is marking this module unsupported...

7.2AI score
Exploits0References7
Drupal
Drupal
added 2017/05/24 12:0 a.m.17 views

Site Verify - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-051

The Site Verify module enables privilege users to verify a site with services like Google Webmaster Tools using meta tags or file uploads. The module doesn't sufficiently sanitize input or restrict uploads. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.9AI score
Exploits0References12
Drupal
Drupal
added 2017/05/10 12:0 a.m.17 views

Drupal Remote Dashboard - Critical - Weak encryption keys - SA-CONTRIB-2017-046

UPDATE 2017-07-12 : This SA originally only mentioned the Drupal 8 version of the module, but it was later discovered that this issue affected the Drupal 7 version as well. We've updated the SA for the Drupal 7 security release. Sorry for the confusion! This module enables you to remotely access...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2017/05/03 12:0 a.m.17 views

shib_auth Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-043

This module enables you to login via Shibboleth. The module doesn't sufficiently logout the user when the shib session expires, which depending on the caching mechanism makes private data public. This vulnerability is mitigated by the fact that shibauth would have to be used in combination with a...

7AI score
Exploits0References12
Drupal
Drupal
added 2017/03/01 12:0 a.m.17 views

Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028

Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will 'hide' it from that breakpoint. The security team is marking this module unsupported...

7.2AI score
Exploits0References9
Drupal
Drupal
added 2017/01/25 12:0 a.m.17 views

OAuth - Less Critical - Access Bypass - SA-CONTRIB-2017-006

This module enables you to use the OAuth 1.a protocol to authenticate requests. The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance wit...

7.2AI score
Exploits0References15
Drupal
Drupal
added 2016/11/02 12:0 a.m.17 views

Workbench Moderation - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-060

This module enables you to create and manage custom editorial workflows around a site's content. The module could result in unpublished content being temporarily made visible via content lists, e.g. as generated by Views, when its editorial status was being changed, e.g. from "draft" to "needs...

7AI score
Exploits0References15
Drupal
Drupal
added 2016/08/31 12:0 a.m.17 views

Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050

Flag enables users to mark content with any number of admin-defined flags, such as 'bookmarks' or 'spam'. Flag Bookmark is a submodule within Flag, which provides a 'bookmarks' flag, and default views to list bookmarked content. The provided view that lists each user's bookmarked content as a tab...

6.8AI score
Exploits0References14
Drupal
Drupal
added 2016/08/10 12:0 a.m.17 views

Piwik - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-043

This module enables you to add integration with Piwik statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is mitigated by the...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/07/13 12:0 a.m.17 views

Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038

The Webform Multiple File Upload module allows users to upload multiple files on a Webform. The Webform Multifile File Upload module contains a Remote Code Execution RCE vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution...

8.3AI score
Exploits0References13
Drupal
Drupal
added 2016/07/06 12:0 a.m.17 views

Instagram Block - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-037

This module enables you to authenticate with Instagram's API via an intermediary service instagram.yanniboi.com. The module doesn't sufficiently advise that your authentication tokens could be intercepted. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in...

7.3AI score
Exploits0References11
Drupal
Drupal
added 2016/06/01 12:0 a.m.17 views

Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031

This module enables you to enter opening hours for locations in a highly detailed way. The module doesn't sufficiently escape input data from user input. This vulnerability is mitigated by the fact that an attacker must be able to edit opening hours by having a role with the permission “Edit...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/03/02 12:0 a.m.17 views

Hubspot CTA - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-012 - Unsupported

This module enables you to embed a Hubspot CTA buttons widget in a Bean block. The module allows configuration of a CTA ID and Account ID while adding a bean block for a CTA button, but doesn't sufficiently sanitise these parameters, allowing a potential cross-site scripting attack. This...

6.5AI score
Exploits0References11
Drupal
Drupal
added 2016/03/02 12:0 a.m.17 views

Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011

The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly coun...

7AI score
Exploits0References12
Total number of security vulnerabilities1940