Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2006/09/08 12:0 a.m.16 views

Pubcookie security bypass

It is possible for a malicious user to spoof a user's identity by bypassing the login redirection mechanism in the pubcookie module. The malicious user may gain the privileges of the user they are spoofing, including the administrative user. Versions affected Drupal core is not affected. If you d...

7.2AI score
Exploits0References4
Drupal
Drupal
added 2005/11/30 12:0 a.m.16 views

DRUPAL-SA-2005-007 XSS vulnerability in submitted content

Ahmed Saad has brought to our attention a creative way to enter malicious HTML content. Upon further investigation we found that interpretation of broken HTML/SGML and various quirks in interpretation of correctly formed, but non-sensical attribute values by various browsers also allows entering...

6AI score
Exploits0References4
Drupal
Drupal
added 2005/11/30 12:0 a.m.16 views

DRUPAL-SA-2005-009 Bypass "view user profiles" permission

Andrew Widdowson informed us that it's possible to bypass the 'access user profile' permission if the server is running PHP5. No data can be changed though. Versions affected Drupal 4.6.0, 4.6.1, 4.6.2, 4.6.3 Solution If you are running Drupal 4.6.x and PHP5, then upgrade to Drupal 4.6.4...

6.8AI score
Exploits0References3
Drupal
Drupal
added 2026/06/10 12:0 a.m.15 views

Brute force attack protection - Critical - Unsupported - SA-CONTRIB-2026-047

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.2AI score0.00153EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/03 12:0 a.m.15 views

LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039

This module configures default editorial workflows for LocalGov Drupal content types. It provides a Drupal content moderation workflow, a content approvals dashboard, content scheduling and content preview. The module doesn't sufficiently restrict access to a view of Service Contacts at which...

5.8AI score0.00142EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/03 12:0 a.m.15 views

TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies. This vulnerability is mitigated by the fact that an attacker needs ...

5.9AI score
Exploits0References2
Drupal
Drupal
added 2026/05/13 12:0 a.m.15 views

Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035

The GTranslate module provides a language switcher widget for Drupal sites. The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to poi...

2.7CVSS5.8AI score0.00236EPSS
Exploits0References2
Drupal
Drupal
added 2026/05/13 12:0 a.m.15 views

Node View Permissions - Moderately critical - Access bypass - SA-CONTRIB-2026-034

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...

3.7CVSS5.8AI score0.00214EPSS
Exploits0References3
Drupal
Drupal
added 2026/03/04 12:0 a.m.15 views

Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023

This module extends the Drupal form API adding "Calculation element" form element types, which can evaluate a maths expression. It offers webform integration. The module doesn't sufficiently validate user input; this could be exploited to achieve Information Disclosure or Cross-site Scripting XSS...

6.1CVSS5.8AI score0.00243EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.15 views

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. A visitor who successfully logs in to their Identity Provider and ...

6.5CVSS5.8AI score0.00246EPSS
Exploits0References2
Drupal
Drupal
added 2026/02/25 12:0 a.m.15 views

Anti-Spam by CleanTalk - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-014

This module enables you to block bots by Firewall. The module doesn't sufficiently sanitize user input leading to a reflected Cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that the vulnerable functionality is only presented to users that are "challenged" or...

4.7CVSS5.3AI score0.00171EPSS
Exploits0References2
Drupal
Drupal
added 2025/09/24 12:0 a.m.15 views

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their...

6.3CVSS5.6AI score0.00225EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/21 12:0 a.m.15 views

Commerce Alphabank Redirect - Moderately critical - Access bypass - SA-CONTRIB-2025-067

This module enables you to pay for Commerce order to an environment provided and secured by the bank The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed...

8.8CVSS6.7AI score0.00271EPSS
Exploits0References2
Drupal
Drupal
added 2025/03/19 12:0 a.m.15 views

RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025

This module can be used to render Open API Documentation using the RapiDoc library. The module provides a custom formatter for link fields. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal cor...

6.1CVSS6.7AI score0.00242EPSS
Exploits0References2
Drupal
Drupal
added 2025/02/12 12:0 a.m.15 views

SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016

This module enables your site to obfuscate Email addresses and prevent spambots to collect them. The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting XSS...

6.1CVSS5.8AI score0.00242EPSS
Exploits0References2
Drupal
Drupal
added 2025/01/22 12:0 a.m.15 views

Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.6CVSS7.1AI score0.00493EPSS
Exploits0References2
Drupal
Drupal
added 2024/10/02 12:0 a.m.15 views

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently migrate sessions before prompting for a second factor token. This vulnerability is mitigated by the fact that an attacker must fixat...

9.8CVSS5.7AI score0.0045EPSS
Exploits0References8
Drupal
Drupal
added 2024/08/07 12:0 a.m.15 views

Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029

The Opigno Learning Path module enables you to manage group content. Administrative forms allow uploading malicious files which may contain arbitrary code RCE or cross site scriptiong XSS. These forms were not adequately controlled with permissions that communicate the severity of the permission...

7.5CVSS7.1AI score0.00547EPSS
Exploits0References9
Drupal
Drupal
added 2023/08/30 12:0 a.m.15 views

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have ...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2023/03/01 12:0 a.m.15 views

Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006

This module enables you to add social sharing buttons to a site. The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2022/09/07 12:0 a.m.15 views

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

This module enables you to set content permissions based on taxonomy terms. The module doesn't sufficiently restrict access to translated and unpublished nodes. This vulnerability is mitigated by the fact that it only affects sites with translated content...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2022/03/09 12:0 a.m.15 views

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS. The module was providing too much user information about users such as the list of groups a uid is in...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Cog - Critical - Unsupported - SA-CONTRIB-2022-018

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011

This module provides a very simple, mobile-friendly navigation toolbar. The module doesn't sufficiently check for user-provided input. This vulnerability is mitigated by the fact that an attacker must have the ability to post content using a text format like the default "Filtered HTML" format tha...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020

Update 2022-05-04: Existing maintainers have updated the project to clarify that the module did not contain a security issue that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by...

6.6AI score
Exploits0References4
Drupal
Drupal
added 2022/01/05 12:0 a.m.15 views

Super Login - Critical - Access bypass - SA-CONTRIB-2022-001

This module enables you to login with an email address. The module doesn't sufficiently check if a user account is active when using email login. This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked...

6.5AI score
Exploits0References5
Drupal
Drupal
added 2021/06/30 12:0 a.m.15 views

Block Content Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-022

This module provides a revision UI for Block Content entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2021/06/30 12:0 a.m.15 views

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-021

This module provides a revision UI for Linky entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2021/06/16 12:0 a.m.15 views

Linky Revision UI - Moderately critical - Access bypass - SA-CONTRIB-2021-016

This module provides a revision UI to Linky entities. The module doesn't sufficiently respect access restrictions to certain entities when used in conjunction with specific modules. This vulnerability is mitigated by the fact that an attacker must have a role with any of the permissions provided ...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2020/11/18 12:0 a.m.15 views

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2020/08/05 12:0 a.m.15 views

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-032

The Group module enables you to hand out permissions on a smaller subset, section or community of your website. With the 1.1 security release, new code was introduced to ensure proper access for all entity types, but a mistake introduced unexpected access to unpublished nodes...

6.8AI score
Exploits0References4
Drupal
Drupal
added 2020/07/22 12:0 a.m.15 views

Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027

This module enables you to use the current URL path alias and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website. The module doesn't sufficiently sanitize editor input in certain circumstances leading ...

6AI score
Exploits0References6
Drupal
Drupal
added 2020/05/06 12:0 a.m.15 views

Webform - Critical - Access bypass - SA-CONTRIB-2020-016

This webform module enables you to build 'Term select' and 'Term checkboxes' elements. The module doesn't sufficiently check term 'view' access when rendering the 'Term select' and 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term select' and 'Term checkboxes' elements...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2020/03/11 12:0 a.m.15 views

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

This module enables you to authenticate Drupal users using an external SAML Identity Provider. If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2019/12/11 12:0 a.m.15 views

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095

The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms. The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

Bypass Form Validations - Critical - Unsupported - SA-CONTRIB-2019-079

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

Nodequeue - Critical - Cross Site Scripting - SA-CONTRIB-2019-085

Updated November 22. This module enables you to collect nodes in an arbitrarily ordered list. Nodequeue's JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loade...

6.3AI score
Exploits0References9
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

Webform Multiple File Upload - Critical - Unsupported - SA-CONTRIB-2019-090

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

SendinBlue - Critical - Access bypass - SA-CONTRIB-2019-088

Update: This module had an access bypass vulnerability which has now been addressed by the module’s current maintainers. Original description The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

Noggin - Critical - Unsupported - SA-CONTRIB-2019-080

Update - 2021-01-22 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/noggin/releases/7.x-1.2 to resolve the issue. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the...

6.6AI score
Exploits0References3
Drupal
Drupal
added 2019/08/14 12:0 a.m.15 views

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms. The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of i...

6.7AI score
Exploits0References8
Drupal
Drupal
added 2019/07/24 12:0 a.m.15 views

Metatag - Moderately critical - Information disclosure - SA-CONTRIB-2019-058

This module enables you to customize meta tags to help with a site's search engine ranking and improve the display of page summaries when shared on social networks. The module doesn't sufficiently check for a site being in maintenance mode. This vulnerability is mitigated by the fact that the sit...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2019/07/17 12:0 a.m.15 views

Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057

Metatags quick is a module that manages meta tags tags that appear in HTML's head section as Drupal 7 fields. Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup. This...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2019/05/29 12:0 a.m.15 views

Universally Unique IDentifier - Moderately critical - Access bypass - SA-CONTRIB-2019-052

This module provides an API for adding universally unique identifiers UUID to Drupal objects, most notably entities. The module has a privilege escalation vulnerability when it's used in combination with Services+REST server. This vulnerability is mitigated by the fact that an attacker must...

6.8AI score
Exploits0References6
Drupal
Drupal
added 2019/05/15 12:0 a.m.15 views

Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048

This module enables you to use special routes for user registration with special roles and custom field sets defined for the role. The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role. This...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2019/03/13 12:0 a.m.15 views

Views (for Drupal 7) - Moderately critical - Information disclosure - SA-CONTRIB-2019-035

This module enables you to create customized lists of data. The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances. This vulnerability is mitigated by the fact that a view must have an...

6.2AI score
Exploits0References14
Drupal
Drupal
added 2019/03/13 12:0 a.m.15 views

Views (for Drupal 7) - Less critical - Cross site scripting - SA-CONTRIB-2019-036

This module enables you to create customized lists of data. The module doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that a view must display a field with the format "Full data serialized" and an...

6AI score
Exploits0References12
Drupal
Drupal
added 2019/03/06 12:0 a.m.15 views

Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-032

The Ubercart module provides a shopping cart and e-commerce features for Drupal. The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL...

6.6AI score
Exploits0References5
Drupal
Drupal
added 2019/02/13 12:0 a.m.15 views

Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017

This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure. In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration...

6.4AI score
Exploits0References5
Total number of security vulnerabilities1940