Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2014/02/12 12:0 a.m.•16 views

SA-CONTRIB-2014-019 - Easy Social - Cross Site Scripting (XSS)

This module enables you to add social sharing widgets to your content and pages. The module doesn't sufficiently validate block titles when a user creates a custom block from within the module's admin interface. This vulnerability is mitigated by the fact that an attacker must have a role with th...

3.5CVSS6.3AI score0.01046EPSS
Exploits0References10
Drupal
Drupal
•added 2014/02/05 12:0 a.m.•16 views

SA-CONTRIB-2014-009 - Tagadelic - Information Disclosure

This module provides an API and a few simple turnkey modules, which allows you to easily create tagclouds, weighted lists, search-clouds and such. The 6.x-1.x version does not account for node access modules, thus leading to information being disclosed. This vulnerability is mitigated by the fact...

6.7AI score
Exploits0References13
Drupal
Drupal
•added 2014/01/22 12:0 a.m.•16 views

SA-CONTRIB-2014-004 - Secure Cookie Data - Faulty Hashing

This module allows for storing data securely in a cookie through implementing the Secure Cookie Protocol. Ability to alter trusted data in the cookie The module did an incorrect comparison of the HMAC value, allowing a bypass of the HMAC verification which allows changing the cookie value. Known...

7AI score
Exploits0References14
Drupal
Drupal
•added 2013/11/20 12:0 a.m.•16 views

SA-CONTRIB-2013-096 - Entity reference - Access bypass

By default, with an autoselect or a select widget, a user cannot autocomplete an entity title, nor can they select an entity that they have no access to. This will correctly throw a 'invalid id' error and does not show the title of the entity. However, if a user A that has access to the reference...

4.3CVSS6.1AI score0.01066EPSS
Exploits0References13
Drupal
Drupal
•added 2013/11/13 12:0 a.m.•16 views

SA-CONTRIB-2013-090 - Revisioning - Access Bypass

This module enables you to create content publication workflows whereby one version of the content is "live" publicly visible, while another is being edited and moderated privately until found fit for publication. The module doesn't sufficiently apply node access permissions when used in...

4CVSS6.1AI score0.01082EPSS
Exploits0References10
Drupal
Drupal
•added 2013/08/28 12:0 a.m.•16 views

SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass

The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view permission. CVE identifiers...

6.5AI score
Exploits0References10
Drupal
Drupal
•added 2013/04/03 12:0 a.m.•16 views

SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass

This CTools module provides a set of APIs and tools to improve the developer experience. The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the "access content" permission to see the titles of nodes which they shou...

3.5CVSS6.3AI score0.01772EPSS
Exploits0References12
Drupal
Drupal
•added 2013/02/27 12:0 a.m.•16 views

SA-CONTRIB-2013-033 - Simple Corporate theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
•added 2013/02/20 12:0 a.m.•16 views

SA-CONTRIB-2013-018 - Taxonomy Manager - Cross Site Request Forgery (CSRF)

The Taxonomy Manager provides an advanced interface for administrating taxonomy vocabularies. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is mitigated by the fact that an attacker must trick a user with...

5.1CVSS6.3AI score0.00684EPSS
Exploits0References9
Drupal
Drupal
•added 2013/02/20 12:0 a.m.•16 views

SA-CONTRIB-2013-019 - Ubercart Views - Cross site scripting (XSS)

Ubercart Views provides Views integration for the Ubercart shopping cart module. The "full name" field in Views is not properly sanitized on output. The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order. CVE...

4.3CVSS6.4AI score0.01161EPSS
Exploits0References10
Drupal
Drupal
•added 2013/02/20 12:0 a.m.•16 views

SA-CONTRIB-2013-017 - Yandex.Metrics - Cross site scripting (XSS)

The Yandex.Metrics module enables you to install Yandex.Metrica tracking code and watch reports by key indicators of user activity. The module doesn't sufficiently escape Yandex.Metrica service data when being displayed. This vulnerability is mitigated by the fact that it only impacts sites with...

4.3CVSS6.6AI score0.01284EPSS
Exploits0References9
Drupal
Drupal
•added 2013/01/30 12:0 a.m.•16 views

SA-CONTRIB-2013-013 - Boxes - Cross site scripting (XSS)

The subject field for the included simple box doesn't escape HTML properly. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer/edit boxes. Wikipedia has more information about cross site scripting XSS. CVE identifiers issued CVE-2013-02...

2.1CVSS5.5AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
•added 2012/09/19 12:0 a.m.•16 views

SA-CONTRIB-2012-142 - Spambot - Cross Site Scripting (XSS)

The Spambot module enables you to protect new user registrations from spammers using the database at stopforumspam.com. Spambot doesn't sufficiently sanitize API responses from stopforumspam.com when they are logged to the watchdog, allowing a potential XSS attack. This vulnerability is mitigated...

2.6CVSS5.8AI score0.01319EPSS
Exploits0References12
Drupal
Drupal
•added 2012/09/19 12:0 a.m.•16 views

SA-CONTRIB-2012-145 - Imagemenu - Cross Site Scripting (XSS)

Imagemenu module allows you to create Drupal menus from images files. The module doesn't sufficiently escape image file names when rendering menus, allowing a potential XSS attack. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

2.1CVSS5.7AI score0.01041EPSS
Exploits0References13
Drupal
Drupal
•added 2012/08/29 12:0 a.m.•16 views

SA-CONTRIB-2012-130 - Jstool - Multiple Vulnerabilities

Javascript Tool enables administrators to edit any javascript file online from an admin panel. The module does not protect its menu paths, which contain sensitive information about all javascript files on the site and their contents. The module does not validate filenames which can lead to...

6.7AI score
Exploits0References9
Drupal
Drupal
•added 2012/08/29 12:0 a.m.•16 views

SA-CONTRIB-2012-134 - Views - Privilege Escalation

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module incorrectly modifies the global user object in some situations when a view has a uid argument and performs validation on...

6.9AI score
Exploits0References10
Drupal
Drupal
•added 2012/08/08 12:0 a.m.•16 views

SA-CONTRIB-2012-122 - Better Revisions - Cross Site Scripting (XSS)

The Better Revisions module changes the built-in revision log text area to a customizable select list with an optional description field. It also allows an administrator to make the list and/or description field required. The module doesn't sufficiently validate strings entered in the...

6.9AI score
Exploits0References9
Drupal
Drupal
•added 2012/07/11 12:0 a.m.•16 views

SA-CONTRIB-2012-107 - Search autocomplete - Access bypass

This module allows you to add autocomplete functionality to virtually any fields of a Drupal site. The module doesn't sufficiently protect access to the module admin page. This vulnerability is mitigated by the fact that the user can only access the page, disable an autocompletion or change...

5CVSS6.4AI score0.01332EPSS
Exploits0References10
Drupal
Drupal
•added 2012/07/11 12:0 a.m.•16 views

SA-CONTRIB-2012-106 - Listhandler - Access Bypass

Listhandler is a module that marries mailing list discussions and Drupal forums. The module doesn't sufficiently check the permissions of comment authors when importing emails. CVE: CVE-2012-4470 Versions affected All Listhandler 6.x-1.x versions. Drupal core is not affected. If you do not use th...

7.5CVSS6.5AI score0.01304EPSS
Exploits0References8
Drupal
Drupal
•added 2012/06/06 12:0 a.m.•16 views

SA-CONTRIB-2012-092 - Organic Groups - Cross Site Scripting (XSS) and Access Bypass

The Organic Groups module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. Cross Site Scripting The module doesn't sufficiently filter user supplied text when used in connectio...

6.8CVSS5.7AI score0.02598EPSS
Exploits1References12
Drupal
Drupal
•added 2012/05/09 12:0 a.m.•16 views

SA-CONTRIB-2012-075 - Take Control - Cross Site Request Forgery (CSRF)

CVE: CVE-2012-2341 This module enables you to manage your Drupal file-system from within Drupal itself. The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack. This vulnerability is mitigated by the fact that the attacker must be ab...

6.8CVSS6.3AI score0.00894EPSS
Exploits0References12
Drupal
Drupal
•added 2012/05/02 12:0 a.m.•16 views

SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported

CVE: CVE-2012-2308 This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected. This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an...

3.5CVSS6AI score0.00946EPSS
Exploits0References8
Drupal
Drupal
•added 2012/05/02 12:0 a.m.•16 views

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

CVE: CVE-2012-2305 Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system. This module does not protect a CSRF attack when creating node galleries. Versions affected 6.x-3.1 and before Drupal core is not affected. If you d...

6.8CVSS6.5AI score0.00636EPSS
Exploits0References8
Drupal
Drupal
•added 2012/03/28 12:0 a.m.•16 views

SA-CONTRIB-2012-050 - CDN2 Video - Unsupported

CDN2 is a plug and play module and video management service for Drupal. The module does not sanitize output correctly, allowing for a cross-site scripting XSS vulnerability. Additionally, the Form API is not correctly utilized allowing for cross-site request forgery CSRF attempts. This module...

6.8CVSS5.6AI score0.01284EPSS
Exploits0References7
Drupal
Drupal
•added 2012/03/28 12:0 a.m.•17 views

SA-CONTRIB-2012-043 - MultiBlock - Cross Site Scripting

CVE: CVE-2012-2070 The MultiBlock module allows an administrator to create multiple instances of blocks provided by other modules. The module does not properly sanitize the block title provided by a block administrator, leading to a cross-site scripting XSS vulnerability. Such an attack may lead ...

2.1CVSS5.6AI score0.01318EPSS
Exploits1References12
Drupal
Drupal
•added 2012/01/11 12:0 a.m.•16 views

SA-CONTRIB-2012-005 - Vote up/down - Cross Site Scripting

CVE: CVE-2012-1627 This module enables you to add voting widgets to nodes, terms and comments. The vudterm sub-module doesn't sufficiently sanitize taxonomy terms before display. In order to execute arbitrary script injection malicious users must have the ability to create or edit taxonomy terms...

3.5CVSS7.4AI score0.01578EPSS
Exploits0References11
Drupal
Drupal
•added 2011/11/09 12:0 a.m.•16 views

SA-CONTRIB-2011-053 - Quiz - Cross Site Scripting

Quiz module allows the creation and taking of tests that are scored either automatically or manually by a teacher. The module contains several cross site scripting XSS vulnerabilities that can be exploited when quizzes are being created. These vulnerabilities are mitigated by the fact that an...

6.1AI score
Exploits0References11
Drupal
Drupal
•added 2011/10/12 12:0 a.m.•16 views

SA-CONTRIB-2011-049 - Cumulus - Cross Site Scripting (XSS)

The Cumulus module allows you to display your site's tags using a 3D Flash animation. The module ships with a Flash file cumulus.swf that contains a cross site scripting XSS vulnerability that can be exploited when a user is made to view a specially crafted URL. If the user is logged in to an...

5.9AI score
Exploits0References9
Drupal
Drupal
•added 2011/10/05 12:0 a.m.•16 views

SA-CONTRIB-2011-045 - Rate module Cross Site Scripting

The Rate module provides flexible rate widgets. These widgets are refreshed via AJAX after voting. The AJAX callback does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert...

6.5AI score
Exploits0References11
Drupal
Drupal
•added 2011/08/03 12:0 a.m.•16 views

SA-CONTRIB-2011-033 - iWebkit - Cross Site Scripting

iWebKit is a web toolkit designed to create iPhone and iPod touch compatible websites and webapps. iWebkit does not properly sanitize menu links when displayed, allowing a malicious user to embed scripts in menu items, thus creating a cross site scripting XSS vulnerability that may lead to an...

5.9AI score
Exploits0References10
Drupal
Drupal
•added 2010/12/22 12:0 a.m.•16 views

SA-CONTRIB-2010-113 - Image - Cross Site Scripting

The Image module project contains supplemental modules, one of which, Image gallery, allows users to create and maintain galleries of image nodes using taxonomy terms. The Image gallery module does not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting XSS...

6.3AI score
Exploits0References12
Drupal
Drupal
•added 2010/12/22 12:0 a.m.•16 views

SA-CONTRIB-2010-112 - oEmbed - Access Bypass

The oEmbed module allows a Drupal site to embed content from oEmbed-providers as well as for a site to become an oEmbed-provider itself so that other oEmbed-enabled websites can embed its content. If an external site requested to embed a node, the oEmbed provider did not check node access,...

6.9AI score
Exploits0References8
Drupal
Drupal
•added 2010/12/08 12:0 a.m.•16 views

SA-CONTRIB-2010-109 - Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam - Multiple Vulnerabilities

1 - Arbitrary File Upload/Code Execution Vulnerability The Embedded Thumbnail module packaged with the project allows users who upload videos to upload their own thumbnails to replace The Drupal Embedded Media Field module. Unfortunately, the Embedded Thumbnail Module contains a vulnerability tha...

7.3AI score
Exploits0References12
Drupal
Drupal
•added 2010/12/01 12:0 a.m.•16 views

SA-CONTRIB-2010-106 - Comment Edited - Cross Site Scripting

The Comment Edited module displays a customizable message at the bottom of a comment when it has been edited. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full...

6.1AI score
Exploits0References8
Drupal
Drupal
•added 2010/11/10 12:0 a.m.•16 views

SA-CONTRIB-2010-102 - Category tokens - Cross Site Scripting

The Category tokens module exposes additional tokens for the first and last terms related to a node for each vocabulary. The module does not sanitize the vocabulary names when displayed in token help, leading to a Cross-Site Scripting XSS vulnerability that may lead to a malicious user gaining fu...

5.9AI score
Exploits0References7
Drupal
Drupal
•added 2010/09/08 12:0 a.m.•16 views

SA-CONTRIB-2010-090 - Yr Weatherdata - SQL Injection

The Yr Weatherdata module displays weather forecasts, and enables users with the proper permission to set the sort method. When setting the sorting method the module does not filter the value input by the user correctly. This vulnerability can be exploited to perform an SQL Injection attack...

8.3AI score
Exploits0References7
Drupal
Drupal
•added 2010/07/28 12:0 a.m.•16 views

SA-CONTRIB-2010-077 - Sage Pay (former Protx) Direct Payment Gateway for Ubercart - Information Disclosure

The Sage Pay Direct Payment Gateway for Ubercart ucprotxvspdirect processes credit card transactions in Ubercart stores using the Sage Pay Direct service. The module may show remote 3-D Secure pages to the user in an iframe when their bank supports the Verified by Visa or MasterCard SecureCode...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2010/06/16 12:0 a.m.•16 views

SA-CONTRIB-2010-064 - Ubercart MIGS Payment Gateway - Web Parameter Tampering

The Ubercart MIGS Payment Gateway module provides support for the MIGS 3rd-party payment gateway used by ANZ, Commonwealth Bank, Bendigo Bank, and various other banks worldwide for payment processing. This module was susceptible to web parameter tampering which allowed users to bypass paying the...

7AI score
Exploits0References5
Drupal
Drupal
•added 2010/05/19 12:0 a.m.•16 views

SA-CONTRIB-2010-055 - Simplenews - Access bypass

Simplenews publishes and sends email newsletters to lists of subscribers, with both anonymous and authenticated users being able to opt-in to mailing lists. The user subscription form does not use the correct access permission resulting in any user with the permission 'subscribe to newsletters'...

6.9AI score
Exploits0References8
Drupal
Drupal
•added 2010/05/12 12:0 a.m.•16 views

SA-CONTRIB-2010-048: CiviRegister - Cross Site Scripting

The CiviRegister module replaces the standard Drupal user registration form with a CiviCRM Profile form configured to create users. Notifications on the Profile's administrative page include unsanitized data obtained from the URL. A malicious user could create a special link which would inject...

7.2AI score
Exploits0References5
Drupal
Drupal
•added 2010/04/07 12:0 a.m.•16 views

SA-CONTRIB-2010-034 - Internationalization - Cross Site Scripting

The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them and some of the strings used for translating blocks were not properly filtered before display. Additionally all...

6.2AI score
Exploits0References5
Drupal
Drupal
•added 2010/04/07 12:0 a.m.•16 views

SA-CONTRIB-2010-036 - Views - multiple vulnerabilities

The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. Views accepts parameters in the URL and uses them in an AJAX callback. The values were not filtered, thus allowing injection of JavaScript code via the AJAX response. A user tricke...

6AI score
Exploits0References9
Drupal
Drupal
•added 2010/03/17 12:0 a.m.•16 views

SA-CONTRIB-2010-027: Email Input Filter - Arbitrary code execution

Email Input Filter converts email style markup into web friendly format. Arbitrary code execution vulnerability in this module allows a remote attacker with the ability to create content using an input format with the email input filter enabled to execute arbitrary PHP code on an affected system...

8.2AI score
Exploits0References5
Drupal
Drupal
•added 2010/03/10 12:0 a.m.•16 views

SA-CONTRIB-2010-026 - Monthly Archive by Node Type - Access Bypass

The Monthly Archive by Node Type module generates monthly archive pages and a block with links to the pages. You can specify the node types that will be included in the archive pages. In some summary listings, the Monthly Archive by Node Type module does not construct its SQL query to respect nod...

7.7AI score
Exploits0References6
Drupal
Drupal
•added 2010/01/06 12:0 a.m.•16 views

SA-CONTRIB-2010-001 - Wunderbar - Cross Site Scripting

The Wunderbar! module provides a floating bar with configurable buttons and the ability to link off to social networking sites. The module does not properly escape user names, potentially allowing a cross site scripting XSS attack which may lead to the user gaining full administrative access. The...

6AI score
Exploits0References6
Drupal
Drupal
•added 2010/01/06 12:0 a.m.•16 views

SA-CONTRIB-2010-002 - Currency Exchange - Cross site scripting

This module provides a site with the ability to display currency exchange rates. The module does not sanitize some of the user-supplied data before logging it to the watchdog, leading to a cross-site scripting XSS vulnerability. Versions affected Currency Exchange version prior to 6.x-1.2 Drupal...

6AI score
Exploits0References6
Drupal
Drupal
•added 2009/12/09 12:0 a.m.•16 views

SA-CONTRIB-2009-111 - Randomizer - Cross Site Scripting

The Randomizer module assists researchers and students who want an easy way to perform random sampling or assign participants to experimental conditions. It accepts form input as parameters for generating a pseudo-random list of numbers. The module does not sanitize some of the user-supplied data...

6.3AI score
Exploits0References4
Drupal
Drupal
•added 2009/11/04 12:0 a.m.•16 views

SA-CONTRIB-2009-094 - NGP COO/CWP Integration (crmngp) - Multiple Vulnerabilities

The NGP COO/CWP Integration module provides Drupal integration with the NGP Software API for efficient campaign management. An administration page did not properly implement access control thereby allowing untrusted users to view module log information. User-supplied information was not filtered ...

5.5AI score
Exploits0References7
Drupal
Drupal
•added 2009/07/08 12:0 a.m.•16 views

SA-CONTRIB-2009-041 - Nodequeue - Access bypass

The Nodequeue module enables an administrator to arbitrarily put nodes in a group with an arbitrary order for any purpose, such as providing a listing of nodes or featuring a particular node. On the queue administration screen, users with permission to manipulate a queue are presented with an...

7AI score
Exploits0References5
Drupal
Drupal
•added 2009/05/27 12:0 a.m.•16 views

SA-CONTRIB-2009-031 - Ajax Session - Multiple vulnerabilities

The Ajax session module allows users to set PHP session variables using AJAX. The module does not make proper use of the Drupal API, leaving it open to multiple vulnerabilities, including Cross Site Request Forgeries CSRF and Cross Site Scripting XSS. Versions affected Ajax Session 5.x-1.0 Drupal...

7AI score
Exploits0References4
Total number of security vulnerabilities1940