1940 matches found
Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091
This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like. The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack. This...
COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075
This module provides a format filter, which allows you to "disable" certain HTML elements e.g. remove their src attribute specified by the user. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attribute...
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064
This module provides a block to easily display a rendered node. The module doesn't check access to content before displaying it to a visitor, allowing unauthorized users to retrieve a list of labels of all nodes...
Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072
This module provides a block that renders a link providing the functionality of a browser's back button. The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...
Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allo...
Smartling Connector - Less critical - Multiple vulnerabilities - SA-CONTRIB-2024-053
Smartling module allows you to translate content in Drupal 7 using the Smartling Translation Management Platform. The module includes an outdated version of the Guzzle package guzzlehttp/guzzle 6.3.3, which has known security vulnerabilities...
Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047
This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's contentmoderation module. The module doesn't sufficiently check access to content when sending notifications. Thi...
Shorthand - Critical - Access bypass - SA-CONTRIB-2023-038
This module provides integration with Shorthand, an application which describes itself as "beautifully simple storytelling". The module does not check appropriate permissions when displaying a list of all shorthand stories...
Mailchimp - Critical - Cross Site Request Forgery - SA-CONTRIB-2023-025
This module provides integration with Mailchimp, a popular email delivery service. A route related to OAuth authentication is not protected against a Cross Site Request Forgery attack...
Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005
The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places...
Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003
The Media Library Block module allows you to render a media entity in a block. The module does not properly check media access in some circumstances. This may result in unauthorized users including anonymous users seeing media items they are not authorized to access if a block containing a...
Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004
This module enables you to use the media library in custom forms without the Media Library Widget. The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The...
Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063
This module enables you to create registration entities related to nodes. The module doesn't sufficiently restrict update access to a user's own registrations. This vulnerability is mitigated by the fact that an attacker must have the "update own registration type" permission...
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062
Social Private Message module allows users on the platform to allow users to send private messages to each other. The module does not properly perform the correct access checks for certain operations...
Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022
Update 2022-05-31. A past and new maintainers have created a fix and new releases which include fixes for the security issue that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by...
Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047
This modules enables users to login via email address. This module does not sufficiently check user status when authenticating...
User hash - Moderately critical - Cache poisoning - SA-CONTRIB-2021-030
This module enables you to create an individual hash for each user. These hashes can be used for authentication instead of the user's password, e.g. for views exporters. The module doesn't sufficiently invalidate page output when the pagecache module is used. This vulnerability is mitigated by th...
The Better Mega Menu - Moderately critical - Access bypass - SA-CONTRIB-2021-041
This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. This module has a vulnerability whereby users can select blocks as a menu item they don't have permission to view. The vulnerability is mitigated by the fact that it can on...
Form mode manager - Moderately critical - Access bypass - SA-CONTRIB-2021-023
This module provides a user interface that allows the implementation and use of Form modes without custom development. The module does not sufficiently respect access restrictions to entity forms for routes it creates to use specific form modes. This vulnerability is mitigated by the fact that an...
Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-015
This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label w...
Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004
The Profile module enables you to allow users to have configurable user profiles. The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users...
Feeds JSONPath Parser - Critical - Unsupported - SA-CONTRIB-2019-083
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported Update: Feeds Jsonpat...
Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068
This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes. The vulnerability is mitigated by the fact that the submodule Permissions by...
TableField - Moderately critical - Access bypass and Cross Site Scripting - SA-CONTRIB-2019-051
This module allows you to attach tabular data to an entity. Access bypass There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities. This vulnerability is mitigated by the fact that an attacker must ha...
Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046
In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants. This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are...
TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045
This module allows you to attach tabular data to an entity. The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection. This vulnerability is mitigated b...
AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039
This module enables you to add social media share buttons on your website to its content and pages. The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings. This vulnerability is...
Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037
This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats. The module doesn't sufficiently sanitize some user input on administrative forms...
Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016
This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol. The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which i...
Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004
The Preview Link module enables you to generate preview links so anonymous users can access unpublished revisions of content. The last release of the module introduced an access bypass allowing users to present invalid tokens but still access unpublished content...
Anti-Spam by CleanTalk - Critical - Cross site scripting and SQL Injection - SA-CONTRIB-2019-010
Anti-spam module by CleanTalk to protect your Drupal sites from spambot registration and spam comments publications thru comment and contact forms. This module does not sufficiently filter submitted content in certain circumstances...
Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072
The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account. In one configuration of the module, when a user logs in with anoth...
Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062
The Commerce Klarna Checkout module enables you to accept payments from the Klarna Checkout payment provider The module doesn't sufficiently validate the payment callback made by Klarna. An attacker could bypass the payment step...
File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056
This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem. The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code. This...
NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049
This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site...
JSON:API - Moderately critical - Multiple Vulnerabilities - SA-CONTRIB-2018-015
This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently associate cacheability metadata in certain situations thereby causing an access bypass vulnerability. This vulnerability is mitigated b...
Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004
This module enables you to create manual and scheduled backups of a site, and restore the site from backup. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. Sites using this module should review the permissions page...
Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092
This module enables you to set nodes to send feedbacks by personal/site wide contact forms. The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Us...
Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066
This module provides a Facebook Like button on node pages and blocks. The module does not sufficiently sanitize output when configured to use custom css rules. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fblikebutton". CVE...
Custom Landing Page Builder - Unsupported - SA-CONTRIB-2017-050
The Custom Landing Page Builder module allows webmasters to build custom landing pages using a WYSIWYG editor while still having full control over the full layout of the page including the header, navigation, page content, footer, forms etc. The security team is marking this module unsupported...
Site Verify - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-051
The Site Verify module enables privilege users to verify a site with services like Google Webmaster Tools using meta tags or file uploads. The module doesn't sufficiently sanitize input or restrict uploads. This vulnerability is mitigated by the fact that an attacker must have a role with the...
Drupal Remote Dashboard - Critical - Weak encryption keys - SA-CONTRIB-2017-046
UPDATE 2017-07-12 : This SA originally only mentioned the Drupal 8 version of the module, but it was later discovered that this issue affected the Drupal 7 version as well. We've updated the SA for the Drupal 7 security release. Sorry for the confusion! This module enables you to remotely access...
shib_auth Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-043
This module enables you to login via Shibboleth. The module doesn't sufficiently logout the user when the shib session expires, which depending on the caching mechanism makes private data public. This vulnerability is mitigated by the fact that shibauth would have to be used in combination with a...
Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028
Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will 'hide' it from that breakpoint. The security team is marking this module unsupported...
OAuth - Less Critical - Access Bypass - SA-CONTRIB-2017-006
This module enables you to use the OAuth 1.a protocol to authenticate requests. The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance wit...
Workbench Moderation - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-060
This module enables you to create and manage custom editorial workflows around a site's content. The module could result in unpublished content being temporarily made visible via content lists, e.g. as generated by Views, when its editorial status was being changed, e.g. from "draft" to "needs...
Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050
Flag enables users to mark content with any number of admin-defined flags, such as 'bookmarks' or 'spam'. Flag Bookmark is a submodule within Flag, which provides a 'bookmarks' flag, and default views to list bookmarked content. The provided view that lists each user's bookmarked content as a tab...
Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038
The Webform Multiple File Upload module allows users to upload multiple files on a Webform. The Webform Multifile File Upload module contains a Remote Code Execution RCE vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution...
Instagram Block - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-037
This module enables you to authenticate with Instagram's API via an intermediary service instagram.yanniboi.com. The module doesn't sufficiently advise that your authentication tokens could be intercepted. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in...