Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004

The Preview Link module enables you to generate preview links so anonymous users can access unpublished revisions of content. The last release of the module introduced an access bypass allowing users to present invalid tokens but still access unpublished content...

Phone Field - Critical - SQL Injection - SA-CONTRIB-2019-001

This module provides a phone field for Drupal 7 that supports the HTML5 tel:-schema. In an API function that is not used by the module, the name for the phone field is not sufficiently sanitised when using it in database queries. This vulnerability is mitigated by the fact that it affects an unus...

Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account. In one configuration of the module, when a user logs in with anoth...

Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062

The Commerce Klarna Checkout module enables you to accept payments from the Klarna Checkout payment provider The module doesn't sufficiently validate the payment callback made by Klarna. An attacker could bypass the payment step...

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

This module enables you to add or overwrite PHP configuration on a drupal website. The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker. This vulnerability is mitigated by the fact that an attacker must have a ro...

Tapestry - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-051

This theme provides Drupal users with many advanced features including 20 Different Color Styles, 30 User Regions, Custom Block Theme Templates, Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple Configuration, Custom Typography... The theme doesn't sufficiently sanitize user...

JSON:API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication. This vulnerability is mitigated by the fact that an...

Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting XSS attack. This vulnerability is mitigated only by the...

JSON:API - Moderately critical - Access Bypass - SA-CONTRIB-2018-016

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability. This vulnerability is...

FileField Sources - Moderately critical - Access Bypass - SA-CONTRIB-2018-007

This module enables you to upload files to fields via several sources. The module doesn't sufficiently handle access control under the scenario of the autocomplete path of reference sources...

Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004

This module enables you to create manual and scheduled backups of a site, and restore the site from backup. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. Sites using this module should review the permissions page...

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

This module enables you to set nodes to send feedbacks by personal/site wide contact forms. The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Us...

baidu_analytics - Unsupported - SA-CONTRIB-2017-060

Update The maintainer has resolved this issue, please read the release notes for more information This module adds the Baidu Analytics web statistics tracking system to your website. The security team is marking this module unsupported. There is a known security issue with the module that has not...

SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055

This SMTP module enables you to send mail using a third party non-system mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged information. CVE identifiers issued ACVE identifier will be requested, and added upon...

Site Verify - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-051

The Site Verify module enables privilege users to verify a site with services like Google Webmaster Tools using meta tags or file uploads. The module doesn't sufficiently sanitize input or restrict uploads. This vulnerability is mitigated by the fact that an attacker must have a role with the...

Drupal Remote Dashboard - Critical - Weak encryption keys - SA-CONTRIB-2017-046

UPDATE 2017-07-12 : This SA originally only mentioned the Drupal 8 version of the module, but it was later discovered that this issue affected the Drupal 7 version as well. We've updated the SA for the Drupal 7 security release. Sorry for the confusion! This module enables you to remotely access...

Media - Critical - 1.x branch unsupported - SA-CONTRIB-2017-042

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a 3rd party site - it is commonly referred to as a 'file browser to the internet'. Versions affected Only the 1.x branch is affected. Version 2.0...

References - Unsupported - SA-CONTRIB-2017-38

Updates 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2 2017-04-14 - A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated. The specific details...

Linkit - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-033

Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. When searching for entities, this module doesn't always enforce the access restrictions and users may see information about entities they should not be able to access. This is...

Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028

Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will 'hide' it from that breakpoint. The security team is marking this module unsupported...

Workbench Scheduler - Moderately Critical - Access Bypass - SA-CONTRIB-2016-049

Workbench Scheduler module provides users with the ability to create schedules that change moderated content from one workbench moderation state to another. An authenticated user could add a schedule to a node even when that content type has schedules disabled. The vulnerability is mitigated by t...

Piwik - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-043

This module enables you to add integration with Piwik statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is mitigated by the...

Instagram Block - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-037

This module enables you to authenticate with Instagram's API via an intermediary service instagram.yanniboi.com. The module doesn't sufficiently advise that your authentication tokens could be intercepted. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in...

Fast Autocomplete - Critical - DOS vulnerability - SA-CONTRIB-2016-016

This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to "cache" suggestions making the autocomplete very fast. The module doesn't sufficiently validate the incoming language parameter in the request path when a json file of the module is...

Select2 Field Widget - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-173

Select2 Field Widget module enables you to use the select2 library for field widgets. The module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability XSS. CVE identifiers issued ACVE identifier will be requested, and added upon issuance,...

RESTful - Less Critical - Access bypass - SA-CONTRIB-2015-167

RESTful module allows Drupal to be operated via RESTful HTTP requests, using best practices for security, performance, and usability. The module doesn't sufficiently validate some user input. Specific code could be run arbitrarily by an attacker in certain circumstances. This vulnerability is...

Apache Solr Search - Moderately Critical - Access Bypass - SA-CONTRIB-2015-170

This module enables you to connect to an Apache Solr search server to provide a replacement for Drupal core content search and provide both extra features and better search performance and relevance. The module doesn't correctly check access when attempting to delete non-default search...

Token Insert Entity - Moderately Critical - Access bypass and information disclosure - SA-CONTRIB-2015-171

This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG normally the body of a node. There is a vulnerability because a user that can create or edit content and has the "insert entity token" permission can insert tokens relating to e.g. an unpublished node and all...

Webform CiviCRM Integration - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-160

Webform CiviCRM Integration allows you to add CiviCRM fields to a Drupal Webform. The module doesn't sufficiently escape user input. Some of the vulnerabilities are mitigated by the fact that an attacker must have a role with the permission to edit the webform node plus "access CiviCRM" to define...

Stickynote - Cross Site Scripting (XSS) - Moderately Critical - SA-CONTRIB-2015-154

This module enables you to create notes on a page inside a block. The module doesn't sufficiently sanitize the note text on the admin listing page. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to create or edit a stickynote. CVE identifiers issue...

Taxonomy Find - Unsupported - SA-CONTRIB-2015-153

This module enables you to add a simple search interface to lookup taxonomy terms by name. The module doesn't sufficiently sanitize output of taxonomy vocabulary names and term names. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...

User Dashboard - SQL Injection - Critical - SA-CONTRIB-2015-152

Module contains SQL Injection vulnerabilities. CVE identifiers issued CVE-2015-7877 Versions affected userdashboard 7.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed UserDashboard module, there is nothing you need to do. Solution Install the latest...

CMS Updater - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-150

CMS Updater allows to update Drupal core automatically with a subscription service. Access bypass The module does not sufficiently protect the settings page allowing any user with the permission "access administration pages" to change settings. This vulnerability is mitigated by the fact that an...

The eXtensible Catalog (XC) Drupal Toolkit - Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-121

The eXtensible Catalog Drupal Toolkit is a set of Drupal modules to harvest records of the XC Schema format from a Metadata Services Toolkit MST. The XC NCIP Provider module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "administer ncip providers"...

pass2pdf - Critical - Information Disclosure - Unsupported - SA-CONTRIB-2015-109

This module allows you to let users set a password upon registering, and have the password emailed to the user in a PDF file. The module has an Information Disclosure vulnerability. The generated PDF files are not protected. The user passwords are exposed to anonymous users. CVE identifiers issue...

SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass

This module enables you to use Ogone Ingenico as a payment method for Drupal Commerce. Malicious users can trick Commerce Ogone into proceeding with the checkout process without actually going through the Ogone payment process, causing the order status to be set to checkout complete, even though ...

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported

The Custom Sitemap module enables you to add custom sitemaps to a site. The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL. CVE identifiers issue...

SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting (XSS)

Navigate is a customizable navigation bar for Drupal. The module doesn't sufficiently sanitize user input when displaying the Navigate bar. Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafte...

SA-CONTRIB-2015-044 - Taxonomy Path - Cross Site Scripting (XSS)

Taxonomy Path module enables you to create custom links to taxonomy terms within a display mode. The module doesn't sufficiently sanitize user provided text in the provided "Link to path" field formatter, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by th...

SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS)

School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system. The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...

SA-CONTRIB-2014-095 - Safeword - Cross Site Scripting (XSS)

The safeword module provides an automatically generated 'Machine Name' when text is entered into a human-readable field. The module doesn't sufficiently sanitize the field description that can be used as help text under the machine name editing field. This vulnerability is mitigated by the fact...

SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites. Mollom offers a feature to report submitted content as inappropriate...

SA-CONTRIB-2014-063 - Easy Breadcrumb - Cross Site Scripting (XSS)

The Easy Breadcrumb module generates breadcrumbs from path aliases. This module does not properly sanitize user-supplied values creating a Cross Site Scripting XSS vulnerability. CVE identifiers issued CVE-2014-4505 Versions affected Easy breadcrumbs 7.x-2.x versions prior to 7.x-2.10. Drupal cor...

SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)

The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration. The module does not properly filter address field values, resulting in a Cross Site Scripting XSS vulnerabili...

SA-CONTRIB-2014-033 - Nivo Slider - Cross Site Scripting

Nivo Slider provides a way to showcase featured content. Nivo Slider gives administrators a simple method of adding slides to the slideshow, an administration interface to configure slideshow settings, and simple slider positioning using the Drupal block system. The module doesn't sufficiently...

SA-CONTRIB-2014-021 - Maestro - Cross Site Scripting (XSS)

The Maestro module enables you to create complex workflows, automating business processes. The module doesn't sufficiently filter Role or Organic Group names when displaying them in the workflow details. This vulnerability is mitigated by the fact that an attacker must have a role with the...

SA-CONTRIB-2014-004 - Secure Cookie Data - Faulty Hashing

This module allows for storing data securely in a cookie through implementing the Secure Cookie Protocol. Ability to alter trusted data in the cookie The module did an incorrect comparison of the HMAC value, allowing a bypass of the HMAC verification which allows changing the cookie value. Known...

SA-CONTRIB-2013-096 - Entity reference - Access bypass

By default, with an autoselect or a select widget, a user cannot autocomplete an entity title, nor can they select an entity that they have no access to. This will correctly throw a 'invalid id' error and does not show the title of the entity. However, if a user A that has access to the reference...

SA-CONTRIB-2013-090 - Revisioning - Access Bypass

This module enables you to create content publication workflows whereby one version of the content is "live" publicly visible, while another is being edited and moderated privately until found fit for publication. The module doesn't sufficiently apply node access permissions when used in...

SA-CONTRIB-2013-082 - Bean - Cross Site Scripting (XSS)

This module enables you to create block entities a.k.a. beans. The module did not sufficiently filter bean titles for dangerous html. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit beans. CVE identifiers issued CVE-2013-4499 Versions affected...