SA-CONTRIB-2010-042: LoginToboggan - Session fixation

The LoginToboggan module provides a customized log in workflow. Attackers may be able to exploit the workflow to initiate a session fixation attack. Versions affected LoginToboggan versions for the 5.x and 6.x versions of Drupal Drupal core is not affected. If you do not use the contributed...

SA-CONTRIB-2010-034 - Internationalization - Cross Site Scripting

The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them and some of the strings used for translating blocks were not properly filtered before display. Additionally all...

SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting

The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn't sanitised, i...

SA-CONTRIB-2010-020 - Facebook-style Statuses (Microblog) - Access bypass

The Facebook-style Statuses Microblog module enables each user to have a stream of messages "statuses" like on Facebook. Users can update their own status as well as write messages to other users by visiting the other user's profile. When a user updates his own status and then updates it again...

SA-CONTRIB-2010-013 - Menu Breadcrumb - Cross site scripting

The Menu Breadcrumb module allows to use the menu the current page belongs to as breadcrumb. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access...

SA-CONTRIB-2010-010 - Author Contact - Cross site scripting

The Author Contact module provides a form to contact the author of the current post. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access. A user must...

SA-CONTRIB-2009-097 - Organic Groups Vocabulary - Cross Site Scripting

The Organic Groups Vocabulary module enables a vocabulary to be restricted for use to a specific Organic Group. The module does not sanitize before outputting the group title in some cases, resulting in a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining...

SA-CONTRIB-2009-009 Forward module can be used as a spam relay

This vulnerability allows spammers or spambots to use sites with the Forward module installed to send nearly unlimited e-mail. Due to improper use of Drupal's flood control API, it is possible for one user to send an unlimited numbers of mails using the forward module. Important note : the securi...

SA-CONTRIB-2009-004 - Notify - Privilege escalation

A user triggering the cron processing of the Notify module may end up getting logged in as another user when the Notify operations do not complete succesfully. Versions Affected Versions of Notify for Drupal 5.x prior to 5.x-1.2 Drupal core is not affected. If you do not use the Notify module,...

SA-2008-039 - Suggested terms - Cross site scripting

This module provides "suggested terms" for free-tagging Taxonomy fields based on terms already submitted. Taxonomy terms as presented in the clickable list are not properly sanitized. Users who are able to create new terms are able to insert arbitrary script code and HTML into certain edit pages...

DRUPAL-SA-2006-005 - Drupal core - SQL injection vulnerability

A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer. This problem represents a critical security vulnerability and should be patched or upgraded immediately. Versions affected - Drupal 4.6.6 and...

DRUPAL-SA-2006-001 Security bypass in menu.module

If you use menu.module to create a menu item, the page you point to will be accessible to all, even if it is an admin page. Versions affected All Drupal versions before 4.6.6. Solution If you are running Drupal 4.5.x then upgrade to Drupal 4.5.8. If you are running Drupal 4.6.x then upgrade to...

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

The Basket module enables e-commerce and checkout functionality for Drupal sites. The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize. An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the...

Automated Logout - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-030

This module provides a site administrator the ability to log users out after a specified time of inactivity. The module doesn't sufficiently protect its routes from cross-site request forgery CSRF, allowing the logout route to be triggered without user interaction...

GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094

This module enables you to integrate Google Tag Manager GTM into your Drupal site by allowing administrators to configure and embed GTM container snippets. The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters...

Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054

This module provides serialization formats for use by other modules. The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities...

Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021

The Commerce View Receipts module enables you to view commerce order receipts in the browser. The module doesn't sufficiently check access permissions, allowing an unauthorised user to view the private information of other customers...

Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008

The Migrate Tools module provides tools for running and managing Drupal migrations. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to trick an authenticated administrator into initiating a migration. This vulnerability is...

Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049

This module enables you to view all paragraph entities in an admin view. The module contains an access bypass that allows non admin users to access the view. The vulnerability can be mitigated by editing the view to change the permission required to access the page...

Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047

This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's contentmoderation module. The module doesn't sufficiently check access to content when sending notifications. Thi...

Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010

The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image. This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to. This release was coordinated...

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062

Social Private Message module allows users on the platform to allow users to send private messages to each other. The module does not properly perform the correct access checks for certain operations...

Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

Entity Browser Block provides a Block Plugin for every Entity Browser on your site. The module didn't sufficiently check entity view access in the block form. This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page o...

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035

Doubleclick for Publishers DFP module enables a site to place ads from Doubleclick For Publishers. The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting XSS vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a...

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

This module provides an entity relationship hierarchy tree widget for an entity reference field. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to...

Vocabulary Permissions Per Role - Critical - Access bypass - SA-CONTRIB-2022-016

Update Maintainers stepped forward, fixed the security issue, and Vocabulary Permissions Per Role is supported again. The module allows adding to/editing terms of/removing terms from vocabularies per role. The module did not properly check access for certain operations allowing an unauthorized...

Rate - Critical - Unsupported - SA-CONTRIB-2022-010

2022-01-31 - a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read:...

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047

This modules enables users to login via email address. This module does not sufficiently check user status when authenticating...

Commerce Core - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2021-032

This module provides a system for building an ecommerce solution in their Drupal site. The module doesn't sufficiently verify access to profile data in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have permission to perform the checkout operation...

User hash - Moderately critical - Cache poisoning - SA-CONTRIB-2021-030

This module enables you to create an individual hash for each user. These hashes can be used for authentication instead of the user's password, e.g. for views exporters. The module doesn't sufficiently invalidate page output when the pagecache module is used. This vulnerability is mitigated by th...

The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-en...

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014

This module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site. The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to lo...

Open Social - Moderately critical - SQL Injection - SA-CONTRIB-2021-010

This Open Social distribution provides a turn-key system for building customized social networks. The module doesn't sufficiently process data in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access mentions"...

Drupal OAuth Server ( OAuth / OIDC Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034

This module enables you login into any OAuth 2.0 compliant application using Drupal credentials. The 8.x branch of the module is vulnerable to SQL injection...

YubiKey - Less critical - Access bypass - SA-CONTRIB-2020-023

This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token. The module doesn't sufficiently implement login flood control when the module is configured for YubiKey OTP...

Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

This module enables you to force a password update when using password reset link. The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user...

Webform - Critical - Access bypass - SA-CONTRIB-2020-018

This webform module enables you to build a 'Term checkboxes' element. The module doesn't sufficiently check term 'view' access when rendering 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term checkboxes' element...

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-015

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label w...

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used...

Commerce Ingenico - Critical - Unsupported - SA-CONTRIB-2019-089

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Frequently Asked Questions - Critical - Unsupported - SA-CONTRIB-2019-077

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes. The vulnerability is mitigated by the fact that the submodule Permissions by...

Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

This module improves the Drupal login page with the new features and layout. The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field. The vulnerability is mitigated by the fact it can only be exploited by a user wi...

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047

In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not...

Module Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2019-042

This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs. The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that the...

Views (for Drupal 7) - Moderately critical - Information Disclosure - SA-CONTRIB-2019-034

This module enables you to create customized lists of data. The module doesn't sufficiently protect against argument definitions failing. This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator...

Drupal voor Gemeenten - Moderately critical - Access Bypass - SA-CONTRIB-2019-031

The DvG distrubition contains the feature module dvgdomains to support multiple domains. When the dvgdomains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages. This issue can be mitigated by disabling the...

Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004

The Preview Link module enables you to generate preview links so anonymous users can access unpublished revisions of content. The last release of the module introduced an access bypass allowing users to present invalid tokens but still access unpublished content...