Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2016/03/02 12:0 a.m.17 views

Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011

The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly coun...

7AI score
Exploits0References12
Drupal
Drupal
added 2015/12/02 12:0 a.m.17 views

Apache Solr Search - Moderately Critical - Access Bypass - SA-CONTRIB-2015-170

This module enables you to connect to an Apache Solr search server to provide a replacement for Drupal core content search and provide both extra features and better search performance and relevance. The module doesn't correctly check access when attempting to delete non-default search...

7AI score
Exploits0References13
Drupal
Drupal
added 2015/11/18 12:0 a.m.17 views

Encrypt - Moderately Critical - Weak Encryption - SA-CONTRIB-2015-166

This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider. The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses depending on module usage. The default encryption method could...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2015/09/30 12:0 a.m.17 views

Taxonomy Find - Unsupported - SA-CONTRIB-2015-153

This module enables you to add a simple search interface to lookup taxonomy terms by name. The module doesn't sufficiently sanitize output of taxonomy vocabulary names and term names. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...

5.4CVSS5.4AI score0.00609EPSS
Exploits0References9
Drupal
Drupal
added 2015/09/09 12:0 a.m.17 views

RESTful - Moderately Critical - Access bypass - SA-CONTRIB-2015-147

This module enables you to expose your Drupal backend by generating a RESTful API. The module doesn't sufficiently account for core's page cache generation for anonymous users, when using non-cookie authentication providers. Authenticated users, via one of the authentication providers, can have...

5CVSS6.4AI score0.01276EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/02 12:0 a.m.17 views

Fieldable Panels Panes - Less Critical - Access bypass - SA-CONTRIB-2015-145

Fieldable Panels Panes enables you to create custom panes for embedding in Panels-based displays Page Manager, Panelizer, Panels Everywhere via a fieldable custom entity type. The module doesn't sufficiently check for permission to edit existing Fieldable Panels Panes entities, thus allowing...

3.5CVSS6.3AI score0.00787EPSS
Exploits0References11
Drupal
Drupal
added 2015/08/05 12:0 a.m.17 views

Compass Rose - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-138

Compass Rose module provides a type of CCK field that allows to represent the most common orientations North, North-East, East, South-East, South, South-West, West and North-West. The module was embedding a JavaScript library from an external source that was not reliable, thereby exposing the sit...

6.1CVSS6.1AI score0.01271EPSS
Exploits0References10
Drupal
Drupal
added 2015/05/06 12:0 a.m.17 views

Video Consultation - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-105

Video Consultation module integrates VideoWhisper Video Consultation software with Drupal. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-5492 Versions affected All versions of Video Consultation...

4.3CVSS6.1AI score0.0095EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/04 12:0 a.m.17 views

SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass

This module enables you to use Ogone Ingenico as a payment method for Drupal Commerce. Malicious users can trick Commerce Ogone into proceeding with the checkout process without actually going through the Ogone payment process, causing the order status to be set to checkout complete, even though ...

5CVSS6.4AI score0.01358EPSS
Exploits0References12
Drupal
Drupal
added 2015/02/25 12:0 a.m.17 views

SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported

inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service. The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-4347 Versions affected All...

4.3CVSS6AI score0.01171EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/18 12:0 a.m.17 views

SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting (XSS)

Navigate is a customizable navigation bar for Drupal. The module doesn't sufficiently sanitize user input when displaying the Navigate bar. Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafte...

4.3CVSS6.3AI score0.01521EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/11 12:0 a.m.17 views

SA-CONTRIB-2015-046 - Taxonomy Tools - Cross Site Scripting (XSS)

Taxonomy Tools module provides alternative ways of managing taxonomy terms. The module doesn't sufficiently escape node and taxonomy term titles when displaying them, allowing a malicious user to inject code. This vulnerability is mitigated by the fact that an attacker must have a role with...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References12
Drupal
Drupal
added 2014/12/03 12:0 a.m.17 views

SA-CONTRIB-2014-117 - Hierarchical Select - Cross Site Scripting (XSS)

The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to two Cross Site Scripting XSS vulnerabilities...

3.5CVSS5.9AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/20 12:0 a.m.17 views

SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure

The Avatar Uploader enables you to upload user pictures in a user-friendly way, like Quora and Facebook. The module doesn't sufficiently check the picture path when a user crops the picture in the uploader panel allowing a malicious user to make specially crafted requests to obtain sensitive serv...

4CVSS6.3AI score0.01481EPSS
Exploits0References11
Drupal
Drupal
added 2014/05/14 12:0 a.m.17 views

SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)

The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration. The module does not properly filter address field values, resulting in a Cross Site Scripting XSS vulnerabili...

3.5CVSS5.4AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/05/14 12:0 a.m.17 views

SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass

The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider. The module doesn't sufficiently validate incoming payment notification IPN messages. Sending a specifically crafted IPN message to an affected site allows an attacker to crea...

6.9AI score
Exploits0References12
Drupal
Drupal
added 2014/04/23 12:0 a.m.17 views

SA-CONTRIB-2014-042 - Internationalization - Access Bypass

This module enables you to build multilingual Drupal sites providing missing translation features for Drupal core. The module doesn't sufficiently check content access permissions and under certain circumstances allows users with the "access content" permission to see path aliases from unpublishe...

7AI score
Exploits0References11
Drupal
Drupal
added 2014/02/26 12:0 a.m.17 views

SA-CONTRIB-2014-025 - Open Omega - Access Bypass

This theme is a sub theme of omega used as as a sample theme for the open Public Distribution. The theme doesn't sufficiently check the users menu access when building the header and footer menus, so that it can expose the title and path of restricted items in the menu. This vulnerability is...

7AI score
Exploits0References12
Drupal
Drupal
added 2014/02/12 12:0 a.m.17 views

SA-CONTRIB-2014-013- Chaos tool suite (ctools) - Access Bypass

This module provides content editors with an autocomplete callback for entity titles, as well as an ability to embed content within the Chaos tool suite ctools framework. Prior to this version, ctools did not sufficiently check access grants for various types of content other than nodes. It also...

7.3AI score
Exploits0References15
Drupal
Drupal
added 2013/10/23 12:0 a.m.17 views

SA-CONTRIB-2013-082 - Bean - Cross Site Scripting (XSS)

This module enables you to create block entities a.k.a. beans. The module did not sufficiently filter bean titles for dangerous html. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit beans. CVE identifiers issued CVE-2013-4499 Versions affected...

4.3CVSS6.3AI score0.01148EPSS
Exploits0References9
Drupal
Drupal
added 2013/06/26 12:0 a.m.17 views

SA-CONTRIB-2013-054 - Fast Permissions Administration - Access Bypass

The Fast Permissions Administration module enables you to use inline filters on the permissions page, as well as loading the permissions form through a modal dialog. The module doesn't sufficiently check user access for the modal content callback, allowing unauthorized access to the permissions...

7.5CVSS6.4AI score0.01527EPSS
Exploits0References11
Drupal
Drupal
added 2013/03/27 12:0 a.m.17 views

SA-CONTRIB-2013-036 - Zero Point - Cross Site Scripting (XSS)

Zero Point is a theme which includes many options, ideal for a wide range of sites. The theme does not escape user supplied text which creates a reflected Cross site scripting XSS vulnerability in URLs. There are no mitigating factors. CVE identifiers issued CVE-2013-1905 Versions affected...

4.3CVSS5.5AI score0.02227EPSS
Exploits0References9
Drupal
Drupal
added 2012/11/14 12:0 a.m.17 views

SA-CONTRIB-2012-165 - Chaos tool suite (ctools) - Cross Site Scripting (XSS)

The Chaos tool suite is primarily a set of APIs and tools to improve the developer experience. The page manager node view task does not sufficiently escape node titles when setting the page title, allowing XSS. This vulnerability is partially mitigate by the node task being disabled by default an...

2.6CVSS6AI score0.01783EPSS
Exploits0References11
Drupal
Drupal
added 2012/10/03 12:0 a.m.17 views

SA-CONTRIB-2012-150 - Twitter Pull - Cross Site Scripting (XSS)

Twitter Pull allows you to retrieve tweets from Twitter based on a user or search and display them on your site. It also includes integration with the boxes module to allow for simple placement of twitter feeds on various pages. The module doesn't sufficiently filter the data coming from Twitter...

4.3CVSS6AI score0.01161EPSS
Exploits0References11
Drupal
Drupal
added 2012/07/25 12:0 a.m.17 views

SA-CONTRIB-2012-118 - Secure Login - Open Redirect

Secure Login module enables the user login and other forms to be submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in clear text. In addition, Secure Login module by default redirects non-HTTPS GET requests for pages containing forms that i...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2012/05/23 12:0 a.m.17 views

SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities

CSRF Issue: CVE: CVE-2012-2713 BrowserID login theft: CVE: CVE-2012-2714 The BrowserID module provides integration with BrowserID also known as Mozilla Persona -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site...

9.8CVSS9.9AI score0.03294EPSS
Exploits1References12
Drupal
Drupal
added 2012/03/14 12:0 a.m.17 views

SA-CONTRIB-2012-039 - Language Icons - Cross Site Scripting (XSS)

CVE: CVE-2012-2065 The Language icons module adds icons to language links generated by the Locale and Content Translation modules in core. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...

3.5CVSS5.6AI score0.01822EPSS
Exploits0References12
Drupal
Drupal
added 2012/03/14 12:0 a.m.17 views

SA-CONTRIB-2012-037 - Slidebox - access bypass

CVE: CVE-2012-2063 The Slidebox module allows webmasters do display a link to the next node in a jQuery box that slides in from the right side of the page after a user scrolls past a certain point. While the module checks for "published" status, the module does not contain sufficient usage of...

5CVSS6.5AI score0.02329EPSS
Exploits0References11
Drupal
Drupal
added 2012/03/14 12:0 a.m.17 views

SA-CONTRIB-2012-041 - Fancy Slide - Cross Site Scripting (XSS)

CVE: CVE-2012-2068 This module enables you to create slideshow blocks to embed into templates. The module doesn't sufficiently filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fancyslide". Versions affected...

2.1CVSS6.3AI score0.01607EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/07 12:0 a.m.17 views

SA-CONTRIB-2012-035 - Webform Cross Site Scripting (XSS)

CVE: CVE-2012-1660 The Webform module allows content creators to assemble a survey for end-users. The module doesn't sufficiently filter user supplied text when displaying radio buttons or checkboxes when used in combination with the Select or Other... module. This vulnerability is mitigated by t...

2.1CVSS6.3AI score0.01277EPSS
Exploits0References13
Drupal
Drupal
added 2012/02/08 12:0 a.m.17 views

SA-CONTRIB-2012-018 - Revisioning - Cross Site Scripting

CVE: CVE-2012-1060 The Drupal Revisioning module https://drupal.org/project/revisioning "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting XSS vulnerability due to the fact that it...

2.1CVSS4.8AI score0.01062EPSS
Exploits1References11
Drupal
Drupal
added 2012/02/08 12:0 a.m.17 views

SA-CONTRIB-2012-017 - Finder - Multiple vulnerabilities

CVE: CVE-2012-1641 Finder is a Drupal module that allows users to create faceted search forms. The module's autocomplete, checkbox, and radio button functionalities previously did not sanitize the output of fields and raw database values. In addition, users with the "administer finder" permission...

6CVSS7.5AI score0.02292EPSS
Exploits1References12
Drupal
Drupal
added 2012/01/25 12:0 a.m.17 views

SA-CONTRIB-2012-013 - Search Autocomplete - SQL Injection

CVE: CVE-2012-1638 The Search Autocomplete module allows you to add autocomplete functionality to the search fields of a Drupal site. Search Autocomplete does not properly use Drupal's database API, making it possible for a malicious user to carryout SQL injection on the site. This vulnerability ...

6CVSS7.2AI score0.01081EPSS
Exploits1References10
Drupal
Drupal
added 2012/01/11 12:0 a.m.17 views

SA-CONTRIB-2012-008 - Video Filter - Cross Site Scripting

CVE: CVE-2012-1634 The Video Filter module lets you display videos from various third party sources. When videos from Blip.tv are shown, the module fails to sanitize source data before display. This vulnerability is mitigated by the fact that the attacker has to be able to either control the sour...

4.3CVSS6.4AI score0.01393EPSS
Exploits1References11
Drupal
Drupal
added 2012/01/11 12:0 a.m.17 views

SA-CONTRIB-2012-007 - Password Policy - Multiple vulnerabilities

This module enables you to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a policy. Cross Site Request Forgery CSRF CVE: CVE-2012-1633 Unblocking a user does not require sufficient confirmation by administrative users and can be...

6.8CVSS6.1AI score0.00941EPSS
Exploits2References10
Drupal
Drupal
added 2012/01/04 12:0 a.m.17 views

SA-CONTRIB-2012-002 - Lingotek - Cross Site Scripting

CVE: CVE-2012-1624 This module enables you to translate a website's content using tools provided by the Lingotek Collaborative Translation Network. The module doesn't sufficiently sanitize user input when creating or editing page content. This allows a malicious content editor to potentially inpu...

3.5CVSS5.8AI score0.0107EPSS
Exploits0References10
Drupal
Drupal
added 2010/12/15 12:0 a.m.17 views

SA-CONTRIB-2010-110 - Drupal For Firebug - Cross-site Request Forgery

The Drupal For Firebug module allows developers to use Firebug to get debugging information about their Drupal installation. The module does not properly protect the form used to submit PHP code against Cross-site Request Forgeries CSRF, allowing a malicious user to trick an authorized user into...

7.2AI score
Exploits0References7
Drupal
Drupal
added 2010/10/27 12:0 a.m.17 views

SA-CONTRIB-2010-101 - Watcher - Multiple Vulnerabilities

The Watcher module lets users subscribe to nodes so they receive email notifications when comments are posted or nodes are changed. The Watcher module did not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability which can be used by a...

6.5AI score
Exploits0References10
Drupal
Drupal
added 2010/08/11 12:0 a.m.17 views

SA-CONTRIB-2010-085 - Pathauto - Cross Site Scripting

The Pathauto module automatically generates path aliases for various kinds of content nodes, categories, users without requiring the user to manually specify the path alias. It also provides additional tokens that can be used in URL alias patterns and anywhere else that the Token API is used. The...

6.2AI score
Exploits0References8
Drupal
Drupal
added 2010/05/19 12:0 a.m.17 views

SA-CONTRIB-2010-049 - Wordpress Import - Access bypass

The Wordpress Import module provides the ability to import nodes from a Wordpress WXR export file. The form to import a WXR file does not use the correct access permission and allows any user to upload arbitrary files and import data from a remote WRX file. Versions affected Wordpress Import for...

7.2AI score
Exploits0References7
Drupal
Drupal
added 2010/05/12 12:0 a.m.17 views

SA-CONTRIB-2010-042: LoginToboggan - Session fixation

The LoginToboggan module provides a customized log in workflow. Attackers may be able to exploit the workflow to initiate a session fixation attack. Versions affected LoginToboggan versions for the 5.x and 6.x versions of Drupal Drupal core is not affected. If you do not use the contributed...

7AI score
Exploits0References7
Drupal
Drupal
added 2010/03/24 12:0 a.m.17 views

SA-CONTRIB-2010-031 - Menu Block - Cross Site Scripting (XSS)

The Menu Block module generates full or partial menu trees that are presented in configurable blocks. When partial menu trees are displayed, the block title uses the text from the partial menu tree's parent menu item. However, that text is not properly sanitized, leading to a Cross Site Scripting...

5.4AI score
Exploits0References6
Drupal
Drupal
added 2010/03/03 12:0 a.m.17 views

SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting

The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn't sanitised, i...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2010/02/24 12:0 a.m.17 views

SA-CONTRIB-2010-020 - Facebook-style Statuses (Microblog) - Access bypass

The Facebook-style Statuses Microblog module enables each user to have a stream of messages "statuses" like on Facebook. Users can update their own status as well as write messages to other users by visiting the other user's profile. When a user updates his own status and then updates it again...

7.1AI score
Exploits0References5
Drupal
Drupal
added 2010/02/03 12:0 a.m.17 views

SA-CONTRIB-2010-013 - Menu Breadcrumb - Cross site scripting

The Menu Breadcrumb module allows to use the menu the current page belongs to as breadcrumb. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access...

6AI score
Exploits0References6
Drupal
Drupal
added 2009/06/10 12:0 a.m.17 views

SA-CONTRIB-2009-037 - Views - Multiple vulnerabilities

The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. In the Views UI administrative interface when configuring exposed filters, user input presented as possible exposed filters is not correctly filtered, potentially allowing maliciou...

5.6AI score
Exploits0References10
Drupal
Drupal
added 2009/05/20 12:0 a.m.17 views

SA-CONTRIB-2009-029 - Views Bulk Operations - Access Bypass

Views Bulk operations allows registered procedures called actions to be applied on a result set of Drupal nodes, returned by the Views module. Through the Views Bulk Operations interface, it is possible to let users who are not authorized to update specific nodes or classes of nodes, to still app...

7AI score
Exploits0References6
Drupal
Drupal
added 2009/04/15 12:0 a.m.17 views

SA-CONTRIB-2009-020 - Print - Cross site scripting

The Printer, e-mail and PDF versions "Print" module provides printer-friendly versions of content. The module does not correctly escape content titles, enabling malicious users to insert arbitrary HTML and scripts into certain pages. Such a cross site scripting XSS attack against sufficiently...

6AI score
Exploits0References7
Drupal
Drupal
added 2008/09/24 12:0 a.m.17 views

SA-2008-054 - Plugin Manager - Access bypass

The Plugin Manager module provides the methods and graphical interfaces needed to automatically install new modules and themes from the Drupal.org website. An oversight in the menu permissions code allows any user to uninstall and remove modules installed with the Plugin Manager. This risk is onl...

7.1AI score
Exploits0References4
Drupal
Drupal
added 2008/09/04 12:0 a.m.17 views

SA-2008-048-b - CCK - Cross site scripting

Update This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9. The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using...

6.2AI score
Exploits0References7
Total number of security vulnerabilities1940