Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2008/09/04 12:0 a.m.•17 views

SA-2008-048-b - CCK - Cross site scripting

Update This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9. The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using...

6.2AI score
Exploits0References7
Drupal
Drupal
•added 2008/02/13 12:0 a.m.•17 views

SA-2008-017 - Header image - Access bypass

The Header image module allows sites to display an image on selected pages based on the node id, path, taxonomy, node type, containing book or the result of PHP code. The module contains a vulnerability where access to the module's administration pages is granted to any user, including the...

7.1AI score
Exploits0References4
Drupal
Drupal
•added 2007/10/17 12:0 a.m.•17 views

SA-2007-026 - Drupal Core - Cross site scripting via uploads

The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file. Revoking upload permissions or removing the .html extension from the allowed extensi...

6.8AI score
Exploits0References6
Drupal
Drupal
•added 2007/10/17 12:0 a.m.•17 views

SA-2007-027 - Token - Cross site scripting

Several server variables are not escaped consistently. When a malicious user is able to enter comments and then entice a victim to visit a webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. For example, a malicious...

6.6AI score
Exploits0References15
Drupal
Drupal
•added 2007/01/29 12:0 a.m.•17 views

DRUPAL-SA-2007-005 - Drupal core - Arbitrary code execution

Previews on comments were not passed through normal form validation routines, enabling users with the 'post comments' permission and access to more than one input filter to execute arbitrary code. By default, anonymous and authenticated users have access to only one input format. Immediate...

7.9AI score
Exploits0References5
Drupal
Drupal
•added 2007/01/23 12:0 a.m.•17 views

Acidfree - SQL injection

Under certain circumstances, node titles are not escaped before being used in an SQL query, allowing a malicious user with the 'create acidfree albums' privilege and the ability to create acidfree content, to execute an SQL injection attack. These attacks may lead to administrator access. Version...

8.3AI score
Exploits0References4
Drupal
Drupal
•added 2006/03/13 12:0 a.m.•17 views

DRUPAL-SA-2006-002 XSS vulnerabilities

Some user input sanity checking was missing. This could lead to possible cross-site scripting XSS attacks. XSS can lead to user tracking and theft of accounts and services. Versions affected All Drupal versions before 4.6.6. Solution If you are running Drupal 4.5.x then upgrade to Drupal 4.5.8. I...

6AI score
Exploits0References3
Drupal
Drupal
•added 2026/03/11 12:0 a.m.•16 views

AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028

The module and certain submodules AI Automators, AI Translate, AI API Explorer, AI Content Suggestions provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser. Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the...

7.5CVSS5.8AI score0.00232EPSS
Exploits0References1
Drupal
Drupal
•added 2026/03/04 12:0 a.m.•16 views

OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate the uniqueness of certain...

4.2CVSS5.8AI score0.00133EPSS
Exploits0References3
Drupal
Drupal
•added 2026/03/04 12:0 a.m.•16 views

File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021

This module moves files to and from private storage depending on the access of its owning entities. The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances. This vulnerability is mitigated by the fact th...

5.3CVSS5.8AI score0.00256EPSS
Exploits0References2
Drupal
Drupal
•added 2026/02/25 12:0 a.m.•16 views

Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013

This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets. The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the brows...

5.4CVSS5.8AI score0.00136EPSS
Exploits0References1
Drupal
Drupal
•added 2026/02/25 12:0 a.m.•16 views

CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015

This module enables you to protect web forms from automated spam by requiring users to pass a challenge. The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions. This vulnerability is mitigated...

6.5CVSS5.5AI score0.00268EPSS
Exploits0References3
Drupal
Drupal
•added 2026/02/11 12:0 a.m.•16 views

UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010

This module enables you to integrate and manage icons with Drupal. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting XSS vulnerability. The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule...

6.1CVSS5.4AI score0.00149EPSS
Exploits0References1
Drupal
Drupal
•added 2025/12/03 12:0 a.m.•16 views

Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124

This module enables you to disable the standard Drupal login form /user/login so site owners can prevent interactive logins via the UI. The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker or legitimate user with valid credentials can...

4.2CVSS5.3AI score0.0022EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/21 12:0 a.m.•16 views

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

This module provides a block to easily display a rendered node. Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node...

5.3CVSS6.6AI score0.00229EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•16 views

Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059

The Events Log Track module enables you to log specific events on a Drupal site. The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack...

7.5CVSS6.7AI score0.0034EPSS
Exploits0References3
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•16 views

IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051

This module enables you to add a filter to text formats Full HTML, Filtered HTML, which will remove every iframe where the "src" is not on the allowlist. The module doesn't sufficiently filter these iframes in certain situations. This vulnerability is mitigated by the fact that an attacker must b...

6.1CVSS6.8AI score0.00238EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/09 12:0 a.m.•16 views

Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032

Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters. The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Libra...

6.9CVSS5.8AI score0.00449EPSS
Exploits0References4
Drupal
Drupal
•added 2025/01/29 12:0 a.m.•16 views

Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.6CVSS7.1AI score0.00456EPSS
Exploits0References2
Drupal
Drupal
•added 2024/12/04 12:0 a.m.•16 views

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068

Module to restrict access from anonymous and regular users to configured pre-defined pages. The module does not adequately handle protecting certain types of URLs...

5.3CVSS7AI score0.00297EPSS
Exploits0References9
Drupal
Drupal
•added 2024/05/22 12:0 a.m.•16 views

Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021

The Commerce View Receipts module enables you to view commerce order receipts in the browser. The module doesn't sufficiently check access permissions, allowing an unauthorised user to view the private information of other customers...

5.3CVSS6.7AI score0.00279EPSS
Exploits0References8
Drupal
Drupal
•added 2024/02/07 12:0 a.m.•16 views

Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008

The Migrate Tools module provides tools for running and managing Drupal migrations. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to trick an authenticated administrator into initiating a migration. This vulnerability is...

8.8CVSS6.9AI score0.00193EPSS
Exploits0References5
Drupal
Drupal
•added 2023/11/01 12:0 a.m.•16 views

Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049

This module enables you to view all paragraph entities in an admin view. The module contains an access bypass that allows non admin users to access the view. The vulnerability can be mitigated by editing the view to change the permission required to access the page...

7AI score
Exploits0References7
Drupal
Drupal
•added 2023/03/15 12:0 a.m.•16 views

Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010

The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image. This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to. This release was coordinated...

6.6AI score
Exploits0References10
Drupal
Drupal
•added 2023/03/01 12:0 a.m.•16 views

Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008

This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics...

6.7AI score
Exploits0References5
Drupal
Drupal
•added 2022/05/25 12:0 a.m.•16 views

Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

Entity Browser Block provides a Block Plugin for every Entity Browser on your site. The module didn't sufficiently check entity view access in the block form. This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page o...

6.3AI score
Exploits0References5
Drupal
Drupal
•added 2022/05/04 12:0 a.m.•16 views

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035

Doubleclick for Publishers DFP module enables a site to place ads from Doubleclick For Publishers. The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting XSS vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a...

6AI score
Exploits0References6
Drupal
Drupal
•added 2022/02/23 12:0 a.m.•16 views

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

This module provides an entity relationship hierarchy tree widget for an entity reference field. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to...

6.3AI score
Exploits0References6
Drupal
Drupal
•added 2022/01/25 12:0 a.m.•16 views

Vendor Stream Wrapper - Moderately critical - Unsupported - SA-CONTRIB-2022-019

This module provides a stream wrapper for files located in the vendor directory. Even when the vendor directory is moved outside the webroot, it allows providing publically accessible URLs to these files. The module exposes all files that are in the vendor directory, without a site owner's...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2022/01/25 12:0 a.m.•16 views

Vocabulary Permissions Per Role - Critical - Access bypass - SA-CONTRIB-2022-016

Update Maintainers stepped forward, fixed the security issue, and Vocabulary Permissions Per Role is supported again. The module allows adding to/editing terms of/removing terms from vocabularies per role. The module did not properly check access for certain operations allowing an unauthorized...

6.7AI score
Exploits0References6
Drupal
Drupal
•added 2022/01/25 12:0 a.m.•16 views

Rate - Critical - Unsupported - SA-CONTRIB-2022-010

2022-01-31 - a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read:...

6.8AI score
Exploits0References3
Drupal
Drupal
•added 2021/09/22 12:0 a.m.•16 views

The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-en...

6.8AI score
Exploits0References6
Drupal
Drupal
•added 2021/09/22 12:0 a.m.•16 views

Commerce Core - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2021-032

This module provides a system for building an ecommerce solution in their Drupal site. The module doesn't sufficiently verify access to profile data in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have permission to perform the checkout operation...

6.4AI score
Exploits0References6
Drupal
Drupal
•added 2021/06/02 12:0 a.m.•16 views

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014

This module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site. The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to lo...

6.2AI score
Exploits0References6
Drupal
Drupal
•added 2021/06/02 12:0 a.m.•16 views

Open Social - Moderately critical - SQL Injection - SA-CONTRIB-2021-010

This Open Social distribution provides a turn-key system for building customized social networks. The module doesn't sufficiently process data in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access mentions"...

6.4AI score
Exploits0References10
Drupal
Drupal
•added 2020/11/18 12:0 a.m.•16 views

SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038

This module enables your users residing at a SAML 2.0 compliant Identity Provider to login to your Drupal website. The module has two Authentication Bypass vulnerabilities...

6.6AI score
Exploits0References7
Drupal
Drupal
•added 2020/10/14 12:0 a.m.•16 views

Drupal OAuth Server ( OAuth / OIDC Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034

This module enables you login into any OAuth 2.0 compliant application using Drupal credentials. The 8.x branch of the module is vulnerable to SQL injection...

7.4AI score
Exploits0References7Affected Software1
Drupal
Drupal
•added 2020/06/10 12:0 a.m.•16 views

YubiKey - Less critical - Access bypass - SA-CONTRIB-2020-023

This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token. The module doesn't sufficiently implement login flood control when the module is configured for YubiKey OTP...

6.6AI score
Exploits0References7
Drupal
Drupal
•added 2020/05/27 12:0 a.m.•16 views

Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

This module enables you to force a password update when using password reset link. The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user...

6.7AI score
Exploits0References8
Drupal
Drupal
•added 2020/05/06 12:0 a.m.•16 views

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017

This module enables you to build forms and surveys in Drupal. The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which...

6.7AI score
Exploits0References7
Drupal
Drupal
•added 2019/11/13 12:0 a.m.•16 views

Frequently Asked Questions - Critical - Unsupported - SA-CONTRIB-2019-077

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
•added 2019/11/13 12:0 a.m.•16 views

Commerce Ingenico - Critical - Unsupported - SA-CONTRIB-2019-089

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
•added 2019/11/06 12:0 a.m.•16 views

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Open Social is a Drupal distribution for online communities. The included socialmagiclogin module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge...

6.4AI score
Exploits0References8
Drupal
Drupal
•added 2019/08/14 12:0 a.m.•16 views

Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

This module improves the Drupal login page with the new features and layout. The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field. The vulnerability is mitigated by the fact it can only be exploited by a user wi...

6.6AI score
Exploits0References7
Drupal
Drupal
•added 2019/05/15 12:0 a.m.•16 views

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047

In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2019/03/27 12:0 a.m.•16 views

Module Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2019-042

This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs. The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that the...

5.8AI score
Exploits0References5
Drupal
Drupal
•added 2019/03/13 12:0 a.m.•16 views

Views (for Drupal 7) - Moderately critical - Information Disclosure - SA-CONTRIB-2019-034

This module enables you to create customized lists of data. The module doesn't sufficiently protect against argument definitions failing. This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator...

7AI score
Exploits0References11
Drupal
Drupal
•added 2019/03/06 12:0 a.m.•16 views

Drupal voor Gemeenten - Moderately critical - Access Bypass - SA-CONTRIB-2019-031

The DvG distrubition contains the feature module dvgdomains to support multiple domains. When the dvgdomains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages. This issue can be mitigated by disabling the...

6.8AI score
Exploits0References4
Drupal
Drupal
•added 2019/02/27 12:0 a.m.•16 views

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2019-030

This module enables you to create facet-filters for results of a search query and exposes them as blocks The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by two factors. First, an attacker must have...

5.8AI score
Exploits0References6
Drupal
Drupal
•added 2019/01/09 12:0 a.m.•16 views

Phone Field - Critical - SQL Injection - SA-CONTRIB-2019-001

This module provides a phone field for Drupal 7 that supports the HTML5 tel:-schema. In an API function that is not used by the module, the name for the phone field is not sufficiently sanitised when using it in database queries. This vulnerability is mitigated by the fact that it affects an unus...

6.7AI score
Exploits0References5
Total number of security vulnerabilities1940