1940 matches found
SA-2008-048-b - CCK - Cross site scripting
Update This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9. The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using...
SA-2008-017 - Header image - Access bypass
The Header image module allows sites to display an image on selected pages based on the node id, path, taxonomy, node type, containing book or the result of PHP code. The module contains a vulnerability where access to the module's administration pages is granted to any user, including the...
SA-2007-026 - Drupal Core - Cross site scripting via uploads
The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file. Revoking upload permissions or removing the .html extension from the allowed extensi...
SA-2007-027 - Token - Cross site scripting
Several server variables are not escaped consistently. When a malicious user is able to enter comments and then entice a victim to visit a webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. For example, a malicious...
DRUPAL-SA-2007-005 - Drupal core - Arbitrary code execution
Previews on comments were not passed through normal form validation routines, enabling users with the 'post comments' permission and access to more than one input filter to execute arbitrary code. By default, anonymous and authenticated users have access to only one input format. Immediate...
Acidfree - SQL injection
Under certain circumstances, node titles are not escaped before being used in an SQL query, allowing a malicious user with the 'create acidfree albums' privilege and the ability to create acidfree content, to execute an SQL injection attack. These attacks may lead to administrator access. Version...
DRUPAL-SA-2006-002 XSS vulnerabilities
Some user input sanity checking was missing. This could lead to possible cross-site scripting XSS attacks. XSS can lead to user tracking and theft of accounts and services. Versions affected All Drupal versions before 4.6.6. Solution If you are running Drupal 4.5.x then upgrade to Drupal 4.5.8. I...
AI (Artificial Intelligence) - Moderately critical - Information Disclosure - SA-CONTRIB-2026-028
The module and certain submodules AI Automators, AI Translate, AI API Explorer, AI Content Suggestions provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser. Under certain circumstances, rendering of this HTML can lead to exposing secret communications in the...
OpenID Connect / OAuth client - Less critical - Access bypass - SA-CONTRIB-2026-027
This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. The module doesn't sufficiently validate the uniqueness of certain...
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-021
This module moves files to and from private storage depending on the access of its owning entities. The module does not always validate the access logic correctly, resulting in files attached to an entity not being protected in certain circumstances. This vulnerability is mitigated by the fact th...
Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013
This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets. The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the brows...
CAPTCHA - Moderately critical - Access bypass - SA-CONTRIB-2026-015
This module enables you to protect web forms from automated spam by requiring users to pass a challenge. The module doesn't sufficiently invalidate used security tokens under certain scenarios, which can lead to the CAPTCHA being bypassed on subsequent submissions. This vulnerability is mitigated...
UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010
This module enables you to integrate and manage icons with Drupal. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting XSS vulnerability. The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule...
Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124
This module enables you to disable the standard Drupal login form /user/login so site owners can prevent interactive logins via the UI. The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker or legitimate user with valid credentials can...
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065
This module provides a block to easily display a rendered node. Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node...
Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059
The Events Log Track module enables you to log specific events on a Drupal site. The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack...
IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051
This module enables you to add a filter to text formats Full HTML, Filtered HTML, which will remove every iframe where the "src" is not on the allowlist. The module doesn't sufficiently filter these iframes in certain situations. This vulnerability is mitigated by the fact that an attacker must b...
Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032
Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters. The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Libra...
Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068
Module to restrict access from anonymous and regular users to configured pre-defined pages. The module does not adequately handle protecting certain types of URLs...
Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021
The Commerce View Receipts module enables you to view commerce order receipts in the browser. The module doesn't sufficiently check access permissions, allowing an unauthorised user to view the private information of other customers...
Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008
The Migrate Tools module provides tools for running and managing Drupal migrations. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to trick an authenticated administrator into initiating a migration. This vulnerability is...
Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049
This module enables you to view all paragraph entities in an admin view. The module contains an access bypass that allows non admin users to access the view. The vulnerability can be mitigated by editing the view to change the permission required to access the page...
Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010
The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image. This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to. This release was coordinated...
Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008
This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics...
Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044
Entity Browser Block provides a Block Plugin for every Entity Browser on your site. The module didn't sufficiently check entity view access in the block form. This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page o...
Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035
Doubleclick for Publishers DFP module enables a site to place ads from Doubleclick For Publishers. The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting XSS vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a...
Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026
This module provides an entity relationship hierarchy tree widget for an entity reference field. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to...
Vendor Stream Wrapper - Moderately critical - Unsupported - SA-CONTRIB-2022-019
This module provides a stream wrapper for files located in the vendor directory. Even when the vendor directory is moved outside the webroot, it allows providing publically accessible URLs to these files. The module exposes all files that are in the vendor directory, without a site owner's...
Vocabulary Permissions Per Role - Critical - Access bypass - SA-CONTRIB-2022-016
Update Maintainers stepped forward, fixed the security issue, and Vocabulary Permissions Per Role is supported again. The module allows adding to/editing terms of/removing terms from vocabularies per role. The module did not properly check access for certain operations allowing an unauthorized...
Rate - Critical - Unsupported - SA-CONTRIB-2022-010
2022-01-31 - a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read:...
The Better Mega Menu - Moderately critical - Cross Site Scripting, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2021-038
This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not sanitize values for CSS properties that are added by admins and rendered on the front-end, allowing attackers to inject malicious code into the front-en...
Commerce Core - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2021-032
This module provides a system for building an ecommerce solution in their Drupal site. The module doesn't sufficiently verify access to profile data in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have permission to perform the checkout operation...
OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2021-014
This module allows users to authenticate against an Oauth 2.0 / OpenID Connect identity provider to login to your Drupal site. The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to lo...
Open Social - Moderately critical - SQL Injection - SA-CONTRIB-2021-010
This Open Social distribution provides a turn-key system for building customized social networks. The module doesn't sufficiently process data in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access mentions"...
SAML SP 2.0 Single Sign On (SSO) - SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-038
This module enables your users residing at a SAML 2.0 compliant Identity Provider to login to your Drupal website. The module has two Authentication Bypass vulnerabilities...
Drupal OAuth Server ( OAuth / OIDC Provider) - Single Sign On ( SSO ) - Moderately critical - SQL Injection - SA-CONTRIB-2020-034
This module enables you login into any OAuth 2.0 compliant application using Drupal credentials. The 8.x branch of the module is vulnerable to SQL injection...
YubiKey - Less critical - Access bypass - SA-CONTRIB-2020-023
This module enables you to use a Yubikey device to protect your Drupal user account. YubiKey is a secure method for logging into many websites using a cryptographically secure USB token. The module doesn't sufficiently implement login flood control when the module is configured for YubiKey OTP...
Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021
This module enables you to force a password update when using password reset link. The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user...
Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017
This module enables you to build forms and surveys in Drupal. The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which...
Frequently Asked Questions - Critical - Unsupported - SA-CONTRIB-2019-077
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Commerce Ingenico - Critical - Unsupported - SA-CONTRIB-2019-089
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075
Open Social is a Drupal distribution for online communities. The included socialmagiclogin module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge...
Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062
This module improves the Drupal login page with the new features and layout. The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field. The vulnerability is mitigated by the fact it can only be exploited by a user wi...
Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047
In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not...
Module Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2019-042
This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs. The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that the...
Views (for Drupal 7) - Moderately critical - Information Disclosure - SA-CONTRIB-2019-034
This module enables you to create customized lists of data. The module doesn't sufficiently protect against argument definitions failing. This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator...
Drupal voor Gemeenten - Moderately critical - Access Bypass - SA-CONTRIB-2019-031
The DvG distrubition contains the feature module dvgdomains to support multiple domains. When the dvgdomains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages. This issue can be mitigated by disabling the...
Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2019-030
This module enables you to create facet-filters for results of a search query and exposes them as blocks The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by two factors. First, an attacker must have...
Phone Field - Critical - SQL Injection - SA-CONTRIB-2019-001
This module provides a phone field for Drupal 7 that supports the HTML5 tel:-schema. In an API function that is not used by the module, the name for the phone field is not sufficiently sanitised when using it in database queries. This vulnerability is mitigated by the fact that it affects an unus...