1940 matches found
Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011
The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly coun...
Apache Solr Search - Moderately Critical - Access Bypass - SA-CONTRIB-2015-170
This module enables you to connect to an Apache Solr search server to provide a replacement for Drupal core content search and provide both extra features and better search performance and relevance. The module doesn't correctly check access when attempting to delete non-default search...
Encrypt - Moderately Critical - Weak Encryption - SA-CONTRIB-2015-166
This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider. The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses depending on module usage. The default encryption method could...
Taxonomy Find - Unsupported - SA-CONTRIB-2015-153
This module enables you to add a simple search interface to lookup taxonomy terms by name. The module doesn't sufficiently sanitize output of taxonomy vocabulary names and term names. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...
RESTful - Moderately Critical - Access bypass - SA-CONTRIB-2015-147
This module enables you to expose your Drupal backend by generating a RESTful API. The module doesn't sufficiently account for core's page cache generation for anonymous users, when using non-cookie authentication providers. Authenticated users, via one of the authentication providers, can have...
Fieldable Panels Panes - Less Critical - Access bypass - SA-CONTRIB-2015-145
Fieldable Panels Panes enables you to create custom panes for embedding in Panels-based displays Page Manager, Panelizer, Panels Everywhere via a fieldable custom entity type. The module doesn't sufficiently check for permission to edit existing Fieldable Panels Panes entities, thus allowing...
Compass Rose - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-138
Compass Rose module provides a type of CCK field that allows to represent the most common orientations North, North-East, East, South-East, South, South-West, West and North-West. The module was embedding a JavaScript library from an external source that was not reliable, thereby exposing the sit...
Video Consultation - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-105
Video Consultation module integrates VideoWhisper Video Consultation software with Drupal. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-5492 Versions affected All versions of Video Consultation...
SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass
This module enables you to use Ogone Ingenico as a payment method for Drupal Commerce. Malicious users can trick Commerce Ogone into proceeding with the checkout process without actually going through the Ogone payment process, causing the order status to be set to checkout complete, even though ...
SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported
inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service. The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-4347 Versions affected All...
SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting (XSS)
Navigate is a customizable navigation bar for Drupal. The module doesn't sufficiently sanitize user input when displaying the Navigate bar. Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafte...
SA-CONTRIB-2015-046 - Taxonomy Tools - Cross Site Scripting (XSS)
Taxonomy Tools module provides alternative ways of managing taxonomy terms. The module doesn't sufficiently escape node and taxonomy term titles when displaying them, allowing a malicious user to inject code. This vulnerability is mitigated by the fact that an attacker must have a role with...
SA-CONTRIB-2014-117 - Hierarchical Select - Cross Site Scripting (XSS)
The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to two Cross Site Scripting XSS vulnerabilities...
SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure
The Avatar Uploader enables you to upload user pictures in a user-friendly way, like Quora and Facebook. The module doesn't sufficiently check the picture path when a user crops the picture in the uploader panel allowing a malicious user to make specially crafted requests to obtain sensitive serv...
SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)
The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration. The module does not properly filter address field values, resulting in a Cross Site Scripting XSS vulnerabili...
SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass
The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider. The module doesn't sufficiently validate incoming payment notification IPN messages. Sending a specifically crafted IPN message to an affected site allows an attacker to crea...
SA-CONTRIB-2014-042 - Internationalization - Access Bypass
This module enables you to build multilingual Drupal sites providing missing translation features for Drupal core. The module doesn't sufficiently check content access permissions and under certain circumstances allows users with the "access content" permission to see path aliases from unpublishe...
SA-CONTRIB-2014-025 - Open Omega - Access Bypass
This theme is a sub theme of omega used as as a sample theme for the open Public Distribution. The theme doesn't sufficiently check the users menu access when building the header and footer menus, so that it can expose the title and path of restricted items in the menu. This vulnerability is...
SA-CONTRIB-2014-013- Chaos tool suite (ctools) - Access Bypass
This module provides content editors with an autocomplete callback for entity titles, as well as an ability to embed content within the Chaos tool suite ctools framework. Prior to this version, ctools did not sufficiently check access grants for various types of content other than nodes. It also...
SA-CONTRIB-2013-082 - Bean - Cross Site Scripting (XSS)
This module enables you to create block entities a.k.a. beans. The module did not sufficiently filter bean titles for dangerous html. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit beans. CVE identifiers issued CVE-2013-4499 Versions affected...
SA-CONTRIB-2013-054 - Fast Permissions Administration - Access Bypass
The Fast Permissions Administration module enables you to use inline filters on the permissions page, as well as loading the permissions form through a modal dialog. The module doesn't sufficiently check user access for the modal content callback, allowing unauthorized access to the permissions...
SA-CONTRIB-2013-036 - Zero Point - Cross Site Scripting (XSS)
Zero Point is a theme which includes many options, ideal for a wide range of sites. The theme does not escape user supplied text which creates a reflected Cross site scripting XSS vulnerability in URLs. There are no mitigating factors. CVE identifiers issued CVE-2013-1905 Versions affected...
SA-CONTRIB-2012-165 - Chaos tool suite (ctools) - Cross Site Scripting (XSS)
The Chaos tool suite is primarily a set of APIs and tools to improve the developer experience. The page manager node view task does not sufficiently escape node titles when setting the page title, allowing XSS. This vulnerability is partially mitigate by the node task being disabled by default an...
SA-CONTRIB-2012-150 - Twitter Pull - Cross Site Scripting (XSS)
Twitter Pull allows you to retrieve tweets from Twitter based on a user or search and display them on your site. It also includes integration with the boxes module to allow for simple placement of twitter feeds on various pages. The module doesn't sufficiently filter the data coming from Twitter...
SA-CONTRIB-2012-118 - Secure Login - Open Redirect
Secure Login module enables the user login and other forms to be submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in clear text. In addition, Secure Login module by default redirects non-HTTPS GET requests for pages containing forms that i...
SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities
CSRF Issue: CVE: CVE-2012-2713 BrowserID login theft: CVE: CVE-2012-2714 The BrowserID module provides integration with BrowserID also known as Mozilla Persona -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site...
SA-CONTRIB-2012-039 - Language Icons - Cross Site Scripting (XSS)
CVE: CVE-2012-2065 The Language icons module adds icons to language links generated by the Locale and Content Translation modules in core. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...
SA-CONTRIB-2012-037 - Slidebox - access bypass
CVE: CVE-2012-2063 The Slidebox module allows webmasters do display a link to the next node in a jQuery box that slides in from the right side of the page after a user scrolls past a certain point. While the module checks for "published" status, the module does not contain sufficient usage of...
SA-CONTRIB-2012-041 - Fancy Slide - Cross Site Scripting (XSS)
CVE: CVE-2012-2068 This module enables you to create slideshow blocks to embed into templates. The module doesn't sufficiently filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fancyslide". Versions affected...
SA-CONTRIB-2012-035 - Webform Cross Site Scripting (XSS)
CVE: CVE-2012-1660 The Webform module allows content creators to assemble a survey for end-users. The module doesn't sufficiently filter user supplied text when displaying radio buttons or checkboxes when used in combination with the Select or Other... module. This vulnerability is mitigated by t...
SA-CONTRIB-2012-018 - Revisioning - Cross Site Scripting
CVE: CVE-2012-1060 The Drupal Revisioning module https://drupal.org/project/revisioning "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting XSS vulnerability due to the fact that it...
SA-CONTRIB-2012-017 - Finder - Multiple vulnerabilities
CVE: CVE-2012-1641 Finder is a Drupal module that allows users to create faceted search forms. The module's autocomplete, checkbox, and radio button functionalities previously did not sanitize the output of fields and raw database values. In addition, users with the "administer finder" permission...
SA-CONTRIB-2012-013 - Search Autocomplete - SQL Injection
CVE: CVE-2012-1638 The Search Autocomplete module allows you to add autocomplete functionality to the search fields of a Drupal site. Search Autocomplete does not properly use Drupal's database API, making it possible for a malicious user to carryout SQL injection on the site. This vulnerability ...
SA-CONTRIB-2012-008 - Video Filter - Cross Site Scripting
CVE: CVE-2012-1634 The Video Filter module lets you display videos from various third party sources. When videos from Blip.tv are shown, the module fails to sanitize source data before display. This vulnerability is mitigated by the fact that the attacker has to be able to either control the sour...
SA-CONTRIB-2012-007 - Password Policy - Multiple vulnerabilities
This module enables you to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a policy. Cross Site Request Forgery CSRF CVE: CVE-2012-1633 Unblocking a user does not require sufficient confirmation by administrative users and can be...
SA-CONTRIB-2012-002 - Lingotek - Cross Site Scripting
CVE: CVE-2012-1624 This module enables you to translate a website's content using tools provided by the Lingotek Collaborative Translation Network. The module doesn't sufficiently sanitize user input when creating or editing page content. This allows a malicious content editor to potentially inpu...
SA-CONTRIB-2010-110 - Drupal For Firebug - Cross-site Request Forgery
The Drupal For Firebug module allows developers to use Firebug to get debugging information about their Drupal installation. The module does not properly protect the form used to submit PHP code against Cross-site Request Forgeries CSRF, allowing a malicious user to trick an authorized user into...
SA-CONTRIB-2010-101 - Watcher - Multiple Vulnerabilities
The Watcher module lets users subscribe to nodes so they receive email notifications when comments are posted or nodes are changed. The Watcher module did not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability which can be used by a...
SA-CONTRIB-2010-085 - Pathauto - Cross Site Scripting
The Pathauto module automatically generates path aliases for various kinds of content nodes, categories, users without requiring the user to manually specify the path alias. It also provides additional tokens that can be used in URL alias patterns and anywhere else that the Token API is used. The...
SA-CONTRIB-2010-049 - Wordpress Import - Access bypass
The Wordpress Import module provides the ability to import nodes from a Wordpress WXR export file. The form to import a WXR file does not use the correct access permission and allows any user to upload arbitrary files and import data from a remote WRX file. Versions affected Wordpress Import for...
SA-CONTRIB-2010-042: LoginToboggan - Session fixation
The LoginToboggan module provides a customized log in workflow. Attackers may be able to exploit the workflow to initiate a session fixation attack. Versions affected LoginToboggan versions for the 5.x and 6.x versions of Drupal Drupal core is not affected. If you do not use the contributed...
SA-CONTRIB-2010-031 - Menu Block - Cross Site Scripting (XSS)
The Menu Block module generates full or partial menu trees that are presented in configurable blocks. When partial menu trees are displayed, the block title uses the text from the partial menu tree's parent menu item. However, that text is not properly sanitized, leading to a Cross Site Scripting...
SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting
The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn't sanitised, i...
SA-CONTRIB-2010-020 - Facebook-style Statuses (Microblog) - Access bypass
The Facebook-style Statuses Microblog module enables each user to have a stream of messages "statuses" like on Facebook. Users can update their own status as well as write messages to other users by visiting the other user's profile. When a user updates his own status and then updates it again...
SA-CONTRIB-2010-013 - Menu Breadcrumb - Cross site scripting
The Menu Breadcrumb module allows to use the menu the current page belongs to as breadcrumb. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access...
SA-CONTRIB-2009-037 - Views - Multiple vulnerabilities
The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. In the Views UI administrative interface when configuring exposed filters, user input presented as possible exposed filters is not correctly filtered, potentially allowing maliciou...
SA-CONTRIB-2009-029 - Views Bulk Operations - Access Bypass
Views Bulk operations allows registered procedures called actions to be applied on a result set of Drupal nodes, returned by the Views module. Through the Views Bulk Operations interface, it is possible to let users who are not authorized to update specific nodes or classes of nodes, to still app...
SA-CONTRIB-2009-020 - Print - Cross site scripting
The Printer, e-mail and PDF versions "Print" module provides printer-friendly versions of content. The module does not correctly escape content titles, enabling malicious users to insert arbitrary HTML and scripts into certain pages. Such a cross site scripting XSS attack against sufficiently...
SA-2008-054 - Plugin Manager - Access bypass
The Plugin Manager module provides the methods and graphical interfaces needed to automatically install new modules and themes from the Drupal.org website. An oversight in the menu permissions code allows any user to uninstall and remove modules installed with the Plugin Manager. This risk is onl...
SA-2008-048-b - CCK - Cross site scripting
Update This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9. The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using...