Search 404 - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-053

The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found. The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting XSS vulnerability. This...

Media - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-044

This module provides intuitive ways to manage large libraries of media, insert or display or import various types of media either through fields or a wysiwyg interface. Versions of this module prior to 7.x-2.1 or 7.x-3.0-alpha5 did not sufficiently whitelist input parameters for the media browser...

Legal - Critical - Unsupported - SA-CONTRIB-2017-36

Update: 2017-06-04 The issue in this module has been fixed and a new release has been made Displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted. The security team is marking this module unsupported. There is a...

Storage API stream wrappers - Moderately Critical - Access bypass - SA-CONTRIB-2017-010

This module provides stream wrappers to integrate Storage API with Drupal, as an alternative to Storage API's corebridge submodule. It provides two stream wrappers: "Storage API Public" and "Storage API Private". The private storage API doesn't sufficiently performs access control allowing...

Autocomplete Deluxe - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-003

This module creates a new widget for taxonomy fields based on JQuery UI autocomplete. The module doesn't sufficiently escape the entered taxonomy terms thereby exposing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have the permission ...

Like/Dislike - Critical - Cross Site Request Forgery - SA-CONTRIB-2016-056

Cross Site Request Forgery Like/Dislike module can be used to Like and Dislike actions on any content. It is powered by Drupal field concept. The module does not verify user intent on like/dislike links thereby exposing a Cross Site Request Forgery CSRF vulnerability. CVE identifiers issued ACVE...

Webform - Less Critical - Access Bypass - SA-CONTRIB-2016-053

This module provides a user interface to create and configure forms called Webforms. When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules. The vulnerability is mitigated by the fact that...

USASearch - Moderately Critical - Access Bypass - SA-CONTRIB-2016-010

This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology OCSIT, which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search o...

Open Atrium - Moderately Critical - Access Bypass - SA-CONTRIB-2016-003

Open Atrium allows you to control access via a hierarchy of public and private spaces and sub-spaces. If a public sub-space is created within a private parent-space, the content nodes of the public sub-space are accessible to users who are not members of the parent private space. This issue only...

RESTful - Moderately Critical - Access bypass - SA-CONTRIB-2015-147

This module enables you to expose your Drupal backend by generating a RESTful API. The module doesn't sufficiently account for core's page cache generation for anonymous users, when using non-cookie authentication providers. Authenticated users, via one of the authentication providers, can have...

Entityform Block - Moderately Critical - Access Bypass - SA-CONTRIB-2015-106

This module enables you to display an entityform as a block. The module doesn't sufficiently check permissions on the entityform under scenarios where the form is locked to a certain role. CVE identifiers issued CVE-2015-5493 Versions affected Entityform Block 7.x-1.x versions prior to 7.x-1.3...

Open Graph Importer - Moderately Critical - Access bypass - Unsupported - SA-CONTRIB-2015-092

This module enables you to import content from a web page by scraping its Open Graph data. The module doesn't sufficiently check for "create" permission to the content type that is configured as the destination for imported content, thus allowing a user with the "import ogtagimporter" permission ...

Petition - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-081

The Petition module enables you to create petitions which users may sign. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported

Watchdog Aggregator collects watchdog messages from external sites. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL. CVE...

SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported

inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service. The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-4347 Versions affected All...

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported

Spider Catalog module enables you to build product catalogs. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL. CVE identifier...

SA-CONTRIB-2015-033 - Certify - Access bypass and information disclosure

Certify enables you to automatically issue PDF certificates to users upon completion of a set of conditions. The module does not sufficiently check node access when showing and creating the PDF certificates. This can lead to users seeing certificates they should not have access to. This...

SA-CONTRIB-2015-027 - Quizzler - Cross Site Scripting (XSS)

The Quizzler module allows you to create online quizzes and tests. Quizzes are nodes with questions attached. The module does not sanitize user input in the node title when displaying it on the page, allowing a malicious user to inject code, a Cross Site Scripting XSS attack. This vulnerability i...

SA-CONTRIB-2014-117 - Hierarchical Select - Cross Site Scripting (XSS)

The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to two Cross Site Scripting XSS vulnerabilities...

SA-CONTRIB-2014-106 - Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass

This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway's SIM and DPM payment protocols. Access Bypass The module doesn't sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing...

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates. User input is n...

SA-CONTRIB-2014-083 - Rules Link - Cross Site Scripting (XSS)

This module allows you to create links which trigger arbitrary functionality with the help of the Rules module. The module doesn't sufficiently sanitize the question and description strings when confirmation forms are displayed for triggering Rules links. This vulnerability is mitigated by the fa...

SA-CONTRIB-2014-082 - Marketo MA - Cross Site Scripting (XSS)

The Marketo MA module adds Marketo marketing automation tracking capability to your website as well as the ability to capture lead data during user registration and via webform integration. It consists of a base module as well as Marketo MA User Webform and Marketo MA User sub-modules. The Market...

SA-CONTRIB-2014-081 - Site Banner - Cross Site Scripting (XSS)

The Site Banner module enables you to display a banner at the top and bottom of a Drupal site. This module incorrectly prints existing context settings without proper sanitization, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must...

SA-CONTRIB-2014-076 - Fasttoggle - Access bypass

This module enables you to quickly toggle various user, node and field related settings via ajax links. The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn't correctly implement support for the user status allow/block link. This vulnerability is...

SA-CONTRIB-2014-068 - Pane - XSS

This module did not properly sanitize content entered for title. It allowed sufficiently privileged users to add arbitrary HTML which could result in XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks" or ability to ed...

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Touch Theme is a light weight theme with modern look and feel. The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers...

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass

This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server. There was an issue where a configuration variable did not have consistent default values in the code meaning that in...

SA-CONTRIB-2014-051 - Realname Registration - Information Disclosure

This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names. Any user...

SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass

The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider. The module doesn't sufficiently validate incoming payment notification IPN messages. Sending a specifically crafted IPN message to an affected site allows an attacker to crea...

SA-CONTRIB-2014-035 - CAS Server - Access Bypass

The casserver module of the CAS project implements the CAS 1.0 and 2.0 specifications for providing a single sign-on to relying party web application the "service" in CAS specs. The CAS server creates single-use tickets when serving a user's login request, which is subsequently deleted when the...

SA-CONTRIB-2014-019 - Easy Social - Cross Site Scripting (XSS)

This module enables you to add social sharing widgets to your content and pages. The module doesn't sufficiently validate block titles when a user creates a custom block from within the module's admin interface. This vulnerability is mitigated by the fact that an attacker must have a role with th...

SA-CONTRIB-2013-074 - MediaFront - Cross Site Scripting (XSS)

The MediaFront module provides a front-end media presentation layer for Drupal The module doesn't sufficiently filter user input from MediaFront preset settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mediafront" to exploit th...

SA-CONTRIB-2013-071 - Flag - Cross Site Scripting

The Flag module allows creation of customizable flags on entities. Flag does not properly sanitize the name of a flag on the main flag administration page, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability is...

SA-CONTRIB-2013-068 - Entity API - Access Bypass

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently enforce node access restrictions when checking for a user's access to view a comment associated with a particular node. The...

SA-CONTRIB-2013-033 - Simple Corporate theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

SA-CONTRIB-2013-018 - Taxonomy Manager - Cross Site Request Forgery (CSRF)

The Taxonomy Manager provides an advanced interface for administrating taxonomy vocabularies. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is mitigated by the fact that an attacker must trick a user with...

SA-CONTRIB-2013-017 - Yandex.Metrics - Cross site scripting (XSS)

The Yandex.Metrics module enables you to install Yandex.Metrica tracking code and watch reports by key indicators of user activity. The module doesn't sufficiently escape Yandex.Metrica service data when being displayed. This vulnerability is mitigated by the fact that it only impacts sites with...

SA-CONTRIB-2013-022 - Menu Reference - Cross site scripting (XSS)

Module Menu Reference doesn't escape HTML that contains menu link title displayed in Menu Reference "Rendered links" formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu items" to insert HTML code in menu link titl...

SA-CONTRIB-2013-013 - Boxes - Cross site scripting (XSS)

The subject field for the included simple box doesn't escape HTML properly. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer/edit boxes. Wikipedia has more information about cross site scripting XSS. CVE identifiers issued CVE-2013-02...

SA-CONTRIB-2012-151 - Commerce Extra Panes - Cross Site Request Forgery

This module, an add-on for Drupal Commerce, allows site builders to place one or more nodes in one of the checkout phases of an order. The module doesn't sufficiently confirm the intent of a site builder when taking certain administrative operations. This could allow an attacker to trick an...

SA-CONTRIB-2012-142 - Spambot - Cross Site Scripting (XSS)

The Spambot module enables you to protect new user registrations from spammers using the database at stopforumspam.com. Spambot doesn't sufficiently sanitize API responses from stopforumspam.com when they are logged to the watchdog, allowing a potential XSS attack. This vulnerability is mitigated...

SA-CONTRIB-2012-112 - Ubercart SecureTrading - Failure to follow guideline/specification

The Ubercart SecureTrading Payment Method module provides an Ubercart payment method for the SecureTrading.com gateway. The module's payment method did not properly verify the validity of payment notification information. A malicious user could trick a site into thinking that an item has been pai...

SA-CONTRIB-2012-106 - Listhandler - Access Bypass

Listhandler is a module that marries mailing list discussions and Drupal forums. The module doesn't sufficiently check the permissions of comment authors when importing emails. CVE: CVE-2012-4470 Versions affected All Listhandler 6.x-1.x versions. Drupal core is not affected. If you do not use th...

SA-CONTRIB-2012-092 - Organic Groups - Cross Site Scripting (XSS) and Access Bypass

The Organic Groups module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. Cross Site Scripting The module doesn't sufficiently filter user supplied text when used in connectio...

SA-CONTRIB-2012-059 - Autosave - Cross Site Request Forgery

CVE: CVE-2012-2097 This module enables snapshots of your node edit form to be saved in the background while you are editing to help prevent the data from being lost. The module doesn't sufficiently protect against a user being tricked into submitting saved results to a node. Versions affected...

SA-CONTRIB-2012-050 - CDN2 Video - Unsupported

CDN2 is a plug and play module and video management service for Drupal. The module does not sanitize output correctly, allowing for a cross-site scripting XSS vulnerability. Additionally, the Form API is not correctly utilized allowing for cross-site request forgery CSRF attempts. This module...

SA-CONTRIB-2012-043 - MultiBlock - Cross Site Scripting

CVE: CVE-2012-2070 The MultiBlock module allows an administrator to create multiple instances of blocks provided by other modules. The module does not properly sanitize the block title provided by a block administrator, leading to a cross-site scripting XSS vulnerability. Such an attack may lead ...

SA-CONTRIB-2012-045 - AddToAny - Cross Site Scripting

CVE: CVE-2012-2072 This module enables you to add Lockerz/AddToAny's universal sharing buttons to your site. Previously, the module did not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fac...

SA-CONTRIB-2012-002 - Lingotek - Cross Site Scripting

CVE: CVE-2012-1624 This module enables you to translate a website's content using tools provided by the Lingotek Collaborative Translation Network. The module doesn't sufficiently sanitize user input when creating or editing page content. This allows a malicious content editor to potentially inpu...