Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2019/05/15 12:0 a.m.16 views

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047

In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2019/03/27 12:0 a.m.16 views

Module Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2019-042

This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs. The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that the...

5.8AI score
Exploits0References5
Drupal
Drupal
added 2019/03/13 12:0 a.m.16 views

Views (for Drupal 7) - Moderately critical - Information Disclosure - SA-CONTRIB-2019-034

This module enables you to create customized lists of data. The module doesn't sufficiently protect against argument definitions failing. This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator...

7AI score
Exploits0References11
Drupal
Drupal
added 2019/03/13 12:0 a.m.16 views

Views (for Drupal 7) - Moderately critical - Information disclosure - SA-CONTRIB-2019-035

This module enables you to create customized lists of data. The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances. This vulnerability is mitigated by the fact that a view must have an...

6.2AI score
Exploits0References14
Drupal
Drupal
added 2019/03/06 12:0 a.m.16 views

Drupal voor Gemeenten - Moderately critical - Access Bypass - SA-CONTRIB-2019-031

The DvG distrubition contains the feature module dvgdomains to support multiple domains. When the dvgdomains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages. This issue can be mitigated by disabling the...

6.8AI score
Exploits0References4
Drupal
Drupal
added 2019/02/27 12:0 a.m.16 views

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2019-030

This module enables you to create facet-filters for results of a search query and exposes them as blocks The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by two factors. First, an attacker must have...

5.8AI score
Exploits0References6
Drupal
Drupal
added 2019/01/09 12:0 a.m.16 views

Phone Field - Critical - SQL Injection - SA-CONTRIB-2019-001

This module provides a phone field for Drupal 7 that supports the HTML5 tel:-schema. In an API function that is not used by the module, the name for the phone field is not sufficiently sanitised when using it in database queries. This vulnerability is mitigated by the fact that it affects an unus...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2018/09/19 12:0 a.m.16 views

Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation e.g. an entity reference field. The components that display related...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2018/08/08 12:0 a.m.16 views

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

This module enables you to add or overwrite PHP configuration on a drupal website. The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker. This vulnerability is mitigated by the fact that an attacker must have a ro...

6.8AI score
Exploits0References7
Drupal
Drupal
added 2018/07/11 12:0 a.m.16 views

Tapestry - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-051

This theme provides Drupal users with many advanced features including 20 Different Color Styles, 30 User Regions, Custom Block Theme Templates, Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple Configuration, Custom Typography... The theme doesn't sufficiently sanitize user...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2018/04/25 12:0 a.m.16 views

JSON:API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication. This vulnerability is mitigated by the fact that an...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2018/04/18 12:0 a.m.16 views

Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting XSS attack. This vulnerability is mitigated only by the...

5.2AI score
Exploits0References1
Drupal
Drupal
added 2018/03/21 12:0 a.m.16 views

JSON:API - Moderately critical - Access Bypass - SA-CONTRIB-2018-016

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability. This vulnerability is...

6.8AI score
Exploits0References6
Drupal
Drupal
added 2018/02/14 12:0 a.m.16 views

Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability. This...

6AI score
Exploits0References6
Drupal
Drupal
added 2018/02/07 12:0 a.m.16 views

FileField Sources - Moderately critical - Access Bypass - SA-CONTRIB-2018-007

This module enables you to upload files to fields via several sources. The module doesn't sufficiently handle access control under the scenario of the autocomplete path of reference sources...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2017/09/20 12:0 a.m.16 views

Page Access - Unsupported - SA-CONTRIB-2017-075

This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

7.2AI score
Exploits0References7
Drupal
Drupal
added 2017/08/09 12:0 a.m.16 views

Better field descriptions - Critical - XSS - SA-CONTRIB-2017-064

This module enables you to add themeable descriptions to fields in forms. The module doesn't sufficiently sanitize descriptions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "add better descriptions to fields". CVE identifiers issued ACVE...

7AI score
Exploits0References12
Drupal
Drupal
added 2017/08/02 12:0 a.m.16 views

baidu_analytics - Unsupported - SA-CONTRIB-2017-060

Update The maintainer has resolved this issue, please read the release notes for more information This module adds the Baidu Analytics web statistics tracking system to your website. The security team is marking this module unsupported. There is a known security issue with the module that has not...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2017/08/02 12:0 a.m.16 views

Alinks - Moderately Critical -Access bypass - SA-CONTRIB-2017-058

This module enables you to automatically link keywords to specific URLs. This module has an insufficient access check on the delete route. Alinks uses the wrong permission for an access check. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/06/28 12:0 a.m.16 views

SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055

This SMTP module enables you to send mail using a third party non-system mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged information. CVE identifiers issued ACVE identifier will be requested, and added upon...

6.9AI score
Exploits0References17
Drupal
Drupal
added 2017/05/10 12:0 a.m.16 views

Media - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-044

This module provides intuitive ways to manage large libraries of media, insert or display or import various types of media either through fields or a wysiwyg interface. Versions of this module prior to 7.x-2.1 or 7.x-3.0-alpha5 did not sufficiently whitelist input parameters for the media browser...

6.9AI score
Exploits0References10
Drupal
Drupal
added 2017/04/12 12:0 a.m.16 views

Legal - Critical - Unsupported - SA-CONTRIB-2017-36

Update: 2017-06-04 The issue in this module has been fixed and a new release has been made Displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted. The security team is marking this module unsupported. There is a...

7.1AI score
Exploits0References8
Drupal
Drupal
added 2017/04/12 12:0 a.m.16 views

References - Unsupported - SA-CONTRIB-2017-38

Updates 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2 2017-04-14 - A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated. The specific details...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2017/03/22 12:0 a.m.16 views

Linkit - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-033

Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. When searching for entities, this module doesn't always enforce the access restrictions and users may see information about entities they should not be able to access. This is...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2017/03/01 12:0 a.m.16 views

AES - Critical - Unsupported - SA-CONTRIB-2017-027

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm. The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be...

6.8AI score
Exploits0References12
Drupal
Drupal
added 2017/01/25 12:0 a.m.16 views

Unpublished 404 - Critical - Access bypass - SA-CONTRIB-2017-021

The purpose of Unpublished 404 module is to emit a 404 error when a user tries to access a unpublished pages. Unpublished 404 7.x-1.0 has an access bypass vulnerability. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2017/01/25 12:0 a.m.16 views

DownloadFile - Critical - Unsupported - SA-CONTRIB-2017-023

DownloadFile is a module to direct download files or images. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2016/08/24 12:0 a.m.16 views

Workbench Scheduler - Moderately Critical - Access Bypass - SA-CONTRIB-2016-049

Workbench Scheduler module provides users with the ability to create schedules that change moderated content from one workbench moderation state to another. An authenticated user could add a schedule to a node even when that content type has schedules disabled. The vulnerability is mitigated by t...

6.8AI score
Exploits0References12
Drupal
Drupal
added 2016/06/08 12:0 a.m.16 views

Page Manager Search - Moderately Critical - Information disclosure - SA-CONTRIB-2016-032

This module enables you to make Panels pages and other pages managed by CTools' Page Manager submodule indexible and searchable through the standard Search module provided in Drupal core. The module doesn't block access to Page Manager pages which have been disabled. CVE identifiers issued ACVE...

7.2AI score
Exploits0References12
Drupal
Drupal
added 2016/03/02 12:0 a.m.16 views

USASearch - Moderately Critical - Access Bypass - SA-CONTRIB-2016-010

This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology OCSIT, which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search o...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2016/01/27 12:0 a.m.16 views

Open Atrium - Moderately Critical - Access Bypass - SA-CONTRIB-2016-003

Open Atrium allows you to control access via a hierarchy of public and private spaces and sub-spaces. If a public sub-space is created within a private parent-space, the content nodes of the public sub-space are accessible to users who are not members of the parent private space. This issue only...

7AI score
Exploits0References13
Drupal
Drupal
added 2016/01/13 12:0 a.m.16 views

RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002

The Redhen set of modules allows you to build a CRM features in a Drupal site. When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, these modules do not properly filter certain data before...

5.4CVSS5.4AI score0.00615EPSS
Exploits0References11
Drupal
Drupal
added 2015/12/02 12:0 a.m.16 views

RESTful - Less Critical - Access bypass - SA-CONTRIB-2015-167

RESTful module allows Drupal to be operated via RESTful HTTP requests, using best practices for security, performance, and usability. The module doesn't sufficiently validate some user input. Specific code could be run arbitrarily by an attacker in certain circumstances. This vulnerability is...

7.2AI score
Exploits0References11
Drupal
Drupal
added 2015/10/21 12:0 a.m.16 views

Webform CiviCRM Integration - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-160

Webform CiviCRM Integration allows you to add CiviCRM fields to a Drupal Webform. The module doesn't sufficiently escape user input. Some of the vulnerabilities are mitigated by the fact that an attacker must have a role with the permission to edit the webform node plus "access CiviCRM" to define...

7.2AI score
Exploits0References13
Drupal
Drupal
added 2015/10/07 12:0 a.m.16 views

Stickynote - Cross Site Scripting (XSS) - Moderately Critical - SA-CONTRIB-2015-154

This module enables you to create notes on a page inside a block. The module doesn't sufficiently sanitize the note text on the admin listing page. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to create or edit a stickynote. CVE identifiers issue...

5.4CVSS5.4AI score0.00887EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/30 12:0 a.m.16 views

User Dashboard - SQL Injection - Critical - SA-CONTRIB-2015-152

Module contains SQL Injection vulnerabilities. CVE identifiers issued CVE-2015-7877 Versions affected userdashboard 7.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed UserDashboard module, there is nothing you need to do. Solution Install the latest...

9.8CVSS10AI score0.01349EPSS
Exploits0References10
Drupal
Drupal
added 2015/07/01 12:0 a.m.16 views

Views Bulk Operations - Moderately critical - Access Bypass - SA-CONTRIB-2015-131

The Views Bulk Operations module enables you to add bulk operations to administration views, executing actions on multiple selected rows. The module doesn't sufficiently guard user entities against unauthorized modification. If a user has access to a user account listing view with VBO enabled suc...

4.9CVSS6.3AI score0.01088EPSS
Exploits0References10
Drupal
Drupal
added 2015/05/20 12:0 a.m.16 views

pass2pdf - Critical - Information Disclosure - Unsupported - SA-CONTRIB-2015-109

This module allows you to let users set a password upon registering, and have the password emailed to the user in a PDF file. The module has an Information Disclosure vulnerability. The generated PDF files are not protected. The user passwords are exposed to anonymous users. CVE identifiers issue...

5CVSS6.5AI score0.01381EPSS
Exploits0References9
Drupal
Drupal
added 2015/05/06 12:0 a.m.16 views

Dynamic display block - Less Critical - Access bypass - SA-CONTRIB-2015-104

This module enables you to showcase featured content at a prominent place on the front page of the site in an attractive way. The module doesn't sufficiently protect access to content a user has no access to. In certain scenarios a user with the "administer ddblock" permission can see titles of...

3.5CVSS6.2AI score0.01012EPSS
Exploits0References11
Drupal
Drupal
added 2015/04/01 12:0 a.m.16 views

Open Graph Importer - Moderately Critical - Access bypass - Unsupported - SA-CONTRIB-2015-092

This module enables you to import content from a web page by scraping its Open Graph data. The module doesn't sufficiently check for "create" permission to the content type that is configured as the destination for imported content, thus allowing a user with the "import ogtagimporter" permission ...

4CVSS6.4AI score0.01129EPSS
Exploits0References11
Drupal
Drupal
added 2015/03/18 12:0 a.m.16 views

SA-CONTRIB-2015-080 - Profile2 Privacy - Cross Site Scripting (XSS)

Profile2 Privacy module enables you to show or hide parts of a profile2 entity based on pre-configured field sets with a title and description. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is...

3.5CVSS6.1AI score0.00965EPSS
Exploits0References11
Drupal
Drupal
added 2015/02/25 12:0 a.m.16 views

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported

Spider Catalog module enables you to build product catalogs. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL. CVE identifier...

6.8CVSS6.4AI score0.00649EPSS
Exploits0References8
Drupal
Drupal
added 2015/01/28 12:0 a.m.16 views

SA-CONTRIB-2015-033 - Certify - Access bypass and information disclosure

Certify enables you to automatically issue PDF certificates to users upon completion of a set of conditions. The module does not sufficiently check node access when showing and creating the PDF certificates. This can lead to users seeing certificates they should not have access to. This...

4CVSS6.3AI score0.00699EPSS
Exploits0References11
Drupal
Drupal
added 2015/01/07 12:0 a.m.16 views

SA-CONTRIB-2015-007 - Htaccess - Cross Site Request Forgery (CSRF)

The Htaccess module allows the creation and deployment of .htaccess files based on custom settings. Some administration links were not properly protected from Cross Site Request Forgery CSRF. A malicious user could cause an administrator to deploy or delete .htaccess files by getting the...

6.8CVSS6.5AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2014/09/23 12:0 a.m.16 views

SA-CONTRIB-2014-095 - Safeword - Cross Site Scripting (XSS)

The safeword module provides an automatically generated 'Machine Name' when text is entered into a human-readable field. The module doesn't sufficiently sanitize the field description that can be used as help text under the machine name editing field. This vulnerability is mitigated by the fact...

7AI score
Exploits0References10
Drupal
Drupal
added 2014/09/17 12:0 a.m.16 views

SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites. Mollom offers a feature to report submitted content as inappropriate...

6AI score
Exploits0References12
Drupal
Drupal
added 2014/08/20 12:0 a.m.16 views

SA-CONTRIB-2014-082 - Marketo MA - Cross Site Scripting (XSS)

The Marketo MA module adds Marketo marketing automation tracking capability to your website as well as the ability to capture lead data during user registration and via webform integration. It consists of a base module as well as Marketo MA User Webform and Marketo MA User sub-modules. The Market...

3.5CVSS5.6AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/20 12:0 a.m.16 views

SA-CONTRIB-2014-081 - Site Banner - Cross Site Scripting (XSS)

The Site Banner module enables you to display a banner at the top and bottom of a Drupal site. This module incorrectly prints existing context settings without proper sanitization, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must...

3.5CVSS5.7AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/06 12:0 a.m.16 views

SA-CONTRIB-2014-076 - Fasttoggle - Access bypass

This module enables you to quickly toggle various user, node and field related settings via ajax links. The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn't correctly implement support for the user status allow/block link. This vulnerability is...

5.8CVSS6.4AI score0.01051EPSS
Exploits0References11
Drupal
Drupal
added 2014/07/02 12:0 a.m.16 views

SA-CONTRIB-2014-068 - Pane - XSS

This module did not properly sanitize content entered for title. It allowed sufficiently privileged users to add arbitrary HTML which could result in XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks" or ability to ed...

6.1AI score
Exploits0References12
Total number of security vulnerabilities1940