1940 matches found
SA-CONTRIB-2010-049 - Wordpress Import - Access bypass
The Wordpress Import module provides the ability to import nodes from a Wordpress WXR export file. The form to import a WXR file does not use the correct access permission and allows any user to upload arbitrary files and import data from a remote WRX file. Versions affected Wordpress Import for...
SA-CONTRIB-2010-042: LoginToboggan - Session fixation
The LoginToboggan module provides a customized log in workflow. Attackers may be able to exploit the workflow to initiate a session fixation attack. Versions affected LoginToboggan versions for the 5.x and 6.x versions of Drupal Drupal core is not affected. If you do not use the contributed...
SA-CONTRIB-2010-034 - Internationalization - Cross Site Scripting
The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them and some of the strings used for translating blocks were not properly filtered before display. Additionally all...
SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting
The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn't sanitised, i...
SA-CONTRIB-2010-020 - Facebook-style Statuses (Microblog) - Access bypass
The Facebook-style Statuses Microblog module enables each user to have a stream of messages "statuses" like on Facebook. Users can update their own status as well as write messages to other users by visiting the other user's profile. When a user updates his own status and then updates it again...
SA-CONTRIB-2010-013 - Menu Breadcrumb - Cross site scripting
The Menu Breadcrumb module allows to use the menu the current page belongs to as breadcrumb. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access...
SA-CONTRIB-2009-037 - Views - Multiple vulnerabilities
The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. In the Views UI administrative interface when configuring exposed filters, user input presented as possible exposed filters is not correctly filtered, potentially allowing maliciou...
SA-CONTRIB-2009-029 - Views Bulk Operations - Access Bypass
Views Bulk operations allows registered procedures called actions to be applied on a result set of Drupal nodes, returned by the Views module. Through the Views Bulk Operations interface, it is possible to let users who are not authorized to update specific nodes or classes of nodes, to still app...
SA-CONTRIB-2009-020 - Print - Cross site scripting
The Printer, e-mail and PDF versions "Print" module provides printer-friendly versions of content. The module does not correctly escape content titles, enabling malicious users to insert arbitrary HTML and scripts into certain pages. Such a cross site scripting XSS attack against sufficiently...
SA-2008-054 - Plugin Manager - Access bypass
The Plugin Manager module provides the methods and graphical interfaces needed to automatically install new modules and themes from the Drupal.org website. An oversight in the menu permissions code allows any user to uninstall and remove modules installed with the Plugin Manager. This risk is onl...
SA-2008-048-b - CCK - Cross site scripting
Update This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9. The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using...
SA-2008-017 - Header image - Access bypass
The Header image module allows sites to display an image on selected pages based on the node id, path, taxonomy, node type, containing book or the result of PHP code. The module contains a vulnerability where access to the module's administration pages is granted to any user, including the...
SA-2007-026 - Drupal Core - Cross site scripting via uploads
The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file. Revoking upload permissions or removing the .html extension from the allowed extensi...
SA-2007-027 - Token - Cross site scripting
Several server variables are not escaped consistently. When a malicious user is able to enter comments and then entice a victim to visit a webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. For example, a malicious...
DRUPAL-SA-2007-005 - Drupal core - Arbitrary code execution
Previews on comments were not passed through normal form validation routines, enabling users with the 'post comments' permission and access to more than one input filter to execute arbitrary code. By default, anonymous and authenticated users have access to only one input format. Immediate...
Acidfree - SQL injection
Under certain circumstances, node titles are not escaped before being used in an SQL query, allowing a malicious user with the 'create acidfree albums' privilege and the ability to create acidfree content, to execute an SQL injection attack. These attacks may lead to administrator access. Version...
DRUPAL-SA-2006-002 XSS vulnerabilities
Some user input sanity checking was missing. This could lead to possible cross-site scripting XSS attacks. XSS can lead to user tracking and theft of accounts and services. Versions affected All Drupal versions before 4.6.6. Solution If you are running Drupal 4.5.x then upgrade to Drupal 4.5.8. I...
Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035
The GTranslate module provides a language switcher widget for Drupal sites. The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to poi...
AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028
The module and certain submodules AI Automators, AI Translate, AI API Explorer, AI Content Suggestions provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser. Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the...
OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate the uniqueness of certain...
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
This module moves files to and from private storage depending on the access of its owning entities. The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances. This vulnerability is mitigated by the fact th...
Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013
This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets. The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the brows...
CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
This module enables you to protect web forms from automated spam by requiring users to pass a challenge. The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions. This vulnerability is mitigated...
UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010
This module enables you to integrate and manage icons with Drupal. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting XSS vulnerability. The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule...
Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124
This module enables you to disable the standard Drupal login form /user/login so site owners can prevent interactive logins via the UI. The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker or legitimate user with valid credentials can...
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065
This module provides a block to easily display a rendered node. Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node...
Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059
The Events Log Track module enables you to log specific events on a Drupal site. The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack...
IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051
This module enables you to add a filter to text formats Full HTML, Filtered HTML, which will remove every iframe where the "src" is not on the allowlist. The module doesn't sufficiently filter these iframes in certain situations. This vulnerability is mitigated by the fact that an attacker must b...
Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032
Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters. The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Libra...
Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068
Module to restrict access from anonymous and regular users to configured pre-defined pages. The module does not adequately handle protecting certain types of URLs...
Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021
The Commerce View Receipts module enables you to view commerce order receipts in the browser. The module doesn't sufficiently check access permissions, allowing an unauthorised user to view the private information of other customers...
Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008
The Migrate Tools module provides tools for running and managing Drupal migrations. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to trick an authenticated administrator into initiating a migration. This vulnerability is...
Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049
This module enables you to view all paragraph entities in an admin view. The module contains an access bypass that allows non admin users to access the view. The vulnerability can be mitigated by editing the view to change the permission required to access the page...
Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010
The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image. This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to. This release was coordinated...
Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008
This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics...
Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044
Entity Browser Block provides a Block Plugin for every Entity Browser on your site. The module didn't sufficiently check entity view access in the block form. This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page o...
Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035
Doubleclick for Publishers DFP module enables a site to place ads from Doubleclick For Publishers. The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting XSS vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a...
Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026
This module provides an entity relationship hierarchy tree widget for an entity reference field. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to...
Rate - Critical - Unsupported - SA-CONTRIB-2022-010
2022-01-31 - a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read:...
Vendor Stream Wrapper - Moderately critical - Unsupported - SA-CONTRIB-2022-019
This module provides a stream wrapper for files located in the vendor directory. Even when the vendor directory is moved outside the webroot, it allows providing publically accessible URLs to these files. The module exposes all files that are in the vendor directory, without a site owner's...
Vocabulary Permissions Per Role - Critical - Access bypass - SA-CONTRIB-2022-016
Update Maintainers stepped forward, fixed the security issue, and Vocabulary Permissions Per Role is supported again. The module allows adding to/editing terms of/removing terms from vocabularies per role. The module did not properly check access for certain operations allowing an unauthorized...
The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038
This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-en...
Commerce Core - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2021-032
This module provides a system for building an ecommerce solution in their Drupal site. The module doesn't sufficiently verify access to profile data in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have permission to perform the checkout operation...
OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014
This module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site. The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to lo...
Open Social - Moderately critical - SQL Injection - SA-CONTRIB-2021-010
This Open Social distribution provides a turn-key system for building customized social networks. The module doesn't sufficiently process data in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access mentions"...
SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038
This module enables your users residing at a SAML 2.0 compliant Identity Provider to login to your Drupal website. The module has two Authentication Bypass vulnerabilities...
Drupal OAuth Server ( OAuth / OIDC Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034
This module enables you login into any OAuth 2.0 compliant application using Drupal credentials. The 8.x branch of the module is vulnerable to SQL injection...
YubiKey - Less critical - Access bypass - SA-CONTRIB-2020-023
This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token. The module doesn't sufficiently implement login flood control when the module is configured for YubiKey OTP...
Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017
This module enables you to build forms and surveys in Drupal. The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which...