Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2019/02/06 12:0 a.m.15 views

Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014

Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service. The module does not properly...

6.3AI score
Exploits0References9
Drupal
Drupal
added 2019/02/06 12:0 a.m.15 views

Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012

This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination. The module did not verify that the links provided to the...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2018/12/19 12:0 a.m.15 views

E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080

This module allows for integration of Signature Pad, an electronic-signing script, into Drupal for both nodes content, the Field API FAPI, and Webforms. The module doesn't sufficiently filter user input when displaying a signature. The vulnerability is mitigated by the fact that an attacker must...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2018/10/10 12:0 a.m.15 views

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066

NVP field module allows you to create a field type of name/value pairs, with custom titles and easily editable rendering with customizable HTML/text surrounding the pairs. The module doesn't sufficiently handle sanitization of its field formatter's output. This vulnerability is mitigated by the...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2018/06/27 12:0 a.m.15 views

Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042

The Genpass module makes the password field optional or hidden on the add new user page admin & registration. If the password field is not set during registration, the system generates a password. The module doesn't use a strong source of randomness, creating weak and predictable passwords. This...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2018/05/09 12:0 a.m.15 views

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

This module adds a new formatter for the file fields, which allows any file extension to be uploaded. The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission create...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2018/02/14 12:0 a.m.15 views

Dynamic Banner - Less critical - Cross site scripting - SA-CONTRIB-2018-011

This module enables a site to display different banners via blocks on different pages depending upon specific criteria. The module doesn't sufficiently filter output of banner data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2018/02/14 12:0 a.m.15 views

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010

This module enables the user to set custom permissions per path. The module doesn't perform sufficient checks on paths with dynamic arguments like "node/1" or "user/2", thereby allowing the site administrator to save custom permissions for paths that won't be protected. This could lead to an acce...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2017/12/06 12:0 a.m.15 views

Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089

The Mailhandler module enables you to create nodes by email. The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code. The vulnerability applies to any active mailhandler mailbox, whether or no...

7.6AI score
Exploits0References7
Drupal
Drupal
added 2017/11/29 12:0 a.m.15 views

Domain Integration (Drupal 7) - Moderately critical - Access bypass - SA-CONTRIB-2017-084

This module enables you to integrate the Domain module with other popular Drupal modules. The Domain Integration Login Restrict sub-module enables you to restrict access to a domain based on the assigned domains on a user. The Domain Integration Login Restrict sub-module doesn't sufficiently chec...

6.8AI score
Exploits0References7
Drupal
Drupal
added 2017/09/06 12:0 a.m.15 views

Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072

The Clientside Validation module enables you to have clientside Javascript validation on your forms. The module does not sufficiently validate parameters of a POST request made when validating a CAPTCHA. For the 1.x version of this module, this vulnerability is mitigated by the fact that the...

7AI score
Exploits0References11
Drupal
Drupal
added 2017/08/30 12:0 a.m.15 views

Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

Commerce Invoices allows you to enter an Invoice number, Company name and Amount and it will generate an Invoice that the client can pay on your site using any payment method supported by Drupal commerce. SQL Injection The module did not properly use Drupal's database API when querying the databa...

7AI score
Exploits0References12
Drupal
Drupal
added 2017/08/09 12:0 a.m.15 views

Better field descriptions - Critical - XSS - SA-CONTRIB-2017-064

This module enables you to add themeable descriptions to fields in forms. The module doesn't sufficiently sanitize descriptions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "add better descriptions to fields". CVE identifiers issued ACVE...

7AI score
Exploits0References12
Drupal
Drupal
added 2017/08/09 12:0 a.m.15 views

Relation - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-063

This module enables you to store relationships between entities as fieldable entities. The module doesn't sufficiently check permissions when displaying related entities labels with the Relation Dummy Field module widget. This vulnerability is mitigated by the fact that the optional Relation Dumm...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/07/05 12:0 a.m.15 views

DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057

UPDATE 2017-07-12 : This SA originally recommended version 2.6, but it was incorrectly tagged. We've updated the SA to recommend version 2.7. Sorry for the confusion! DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom. The module did...

6.7AI score
Exploits0References13
Drupal
Drupal
added 2017/06/28 12:0 a.m.15 views

Services - Critical - SQL Injection - SA-CONTRIB-2017-054

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it. This vulnerability is mitigated by the fact tha...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2017/06/21 12:0 a.m.15 views

Search 404 - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-053

The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found. The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting XSS vulnerability. This...

6.1AI score
Exploits0References13
Drupal
Drupal
added 2017/05/10 12:0 a.m.15 views

Media - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-044

This module provides intuitive ways to manage large libraries of media, insert or display or import various types of media either through fields or a wysiwyg interface. Versions of this module prior to 7.x-2.1 or 7.x-3.0-alpha5 did not sufficiently whitelist input parameters for the media browser...

6.9AI score
Exploits0References10
Drupal
Drupal
added 2017/04/12 12:0 a.m.15 views

Media - Critical - 1.x branch unsupported - SA-CONTRIB-2017-042

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a 3rd party site - it is commonly referred to as a 'file browser to the internet'. Versions affected Only the 1.x branch is affected. Version 2.0...

6.7AI score
Exploits0References16
Drupal
Drupal
added 2017/03/15 12:0 a.m.15 views

Private - Critical - Access bypass - DRUPAL-SA-CONTRIB-2017-031

This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions. The module doesn't always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes...

7AI score
Exploits0References10
Drupal
Drupal
added 2017/03/08 12:0 a.m.15 views

Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module accepts user submitted data in PHP's serialization format "Content-Type: application/vnd.php.serialized" which can lead to arbitrary remote code execution. This...

7.6AI score
Exploits0References14
Drupal
Drupal
added 2017/03/01 12:0 a.m.15 views

AES - Critical - Unsupported - SA-CONTRIB-2017-027

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm. The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be...

6.8AI score
Exploits0References12
Drupal
Drupal
added 2017/01/25 12:0 a.m.15 views

Unpublished 404 - Critical - Access bypass - SA-CONTRIB-2017-021

The purpose of Unpublished 404 module is to emit a 404 error when a user tries to access a unpublished pages. Unpublished 404 7.x-1.0 has an access bypass vulnerability. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2017/01/25 12:0 a.m.15 views

DownloadFile - Critical - Unsupported - SA-CONTRIB-2017-023

DownloadFile is a module to direct download files or images. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2017/01/11 12:0 a.m.15 views

Autocomplete Deluxe - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-003

This module creates a new widget for taxonomy fields based on JQuery UI autocomplete. The module doesn't sufficiently escape the entered taxonomy terms thereby exposing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have the permission ...

6.2AI score
Exploits0References11
Drupal
Drupal
added 2016/11/02 12:0 a.m.15 views

Like/Dislike - Critical - Cross Site Request Forgery - SA-CONTRIB-2016-056

Cross Site Request Forgery Like/Dislike module can be used to Like and Dislike actions on any content. It is powered by Drupal field concept. The module does not verify user intent on like/dislike links thereby exposing a Cross Site Request Forgery CSRF vulnerability. CVE identifiers issued ACVE...

7.3AI score
Exploits0References10
Drupal
Drupal
added 2016/10/19 12:0 a.m.15 views

Webform - Less Critical - Access Bypass - SA-CONTRIB-2016-053

This module provides a user interface to create and configure forms called Webforms. When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules. The vulnerability is mitigated by the fact that...

7AI score
Exploits0References14
Drupal
Drupal
added 2016/04/13 12:0 a.m.15 views

Boost - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-021

This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic. The module doesn't prevent form cache from leaking between anonymous users which could result in information disclosure, where one use...

6.7AI score
Exploits0References13
Drupal
Drupal
added 2016/03/02 12:0 a.m.15 views

USASearch - Moderately Critical - Access Bypass - SA-CONTRIB-2016-010

This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology OCSIT, which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search o...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2016/02/17 12:0 a.m.15 views

Nodejs - Access bypass - Moderately Critical -- DRUPAL-SA-CONTRIB-2016-007

This module provides an API that other modules can use to add realtime capabilities to Drupal, specifically enabling pushing updates to open connected clients. The module doesn't disconnect unauthenticated sockets, allowing those sockets to receive broadcast messages. For sites that only serve...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/01/27 12:0 a.m.15 views

Open Atrium - Moderately Critical - Access Bypass - SA-CONTRIB-2016-003

Open Atrium allows you to control access via a hierarchy of public and private spaces and sub-spaces. If a public sub-space is created within a private parent-space, the content nodes of the public sub-space are accessible to users who are not members of the parent private space. This issue only...

7AI score
Exploits0References13
Drupal
Drupal
added 2015/12/16 12:0 a.m.15 views

Select2 Field Widget - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-173

Select2 Field Widget module enables you to use the select2 library for field widgets. The module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability XSS. CVE identifiers issued ACVE identifier will be requested, and added upon issuance,...

6.7AI score
Exploits0References14
Drupal
Drupal
added 2015/12/02 12:0 a.m.15 views

Mollom - Critical - Access bypass - SA-CONTRIB-2015-168

The Mollom module allows users to protect their website from spam. As part of the spam protection, Mollom enables the website administrator to create a blacklist. When content is submitted that matches terms on the black list it will be automatically marked as spam and rejected per the site...

7.5CVSS7.5AI score0.01291EPSS
Exploits0References10
Drupal
Drupal
added 2015/05/06 12:0 a.m.15 views

Entityform Block - Moderately Critical - Access Bypass - SA-CONTRIB-2015-106

This module enables you to display an entityform as a block. The module doesn't sufficiently check permissions on the entityform under scenarios where the form is locked to a certain role. CVE identifiers issued CVE-2015-5493 Versions affected Entityform Block 7.x-1.x versions prior to 7.x-1.3...

5CVSS6.4AI score0.01381EPSS
Exploits0References12
Drupal
Drupal
added 2015/03/25 12:0 a.m.15 views

Petition - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-081

The Petition module enables you to create petitions which users may sign. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

2.1CVSS6AI score0.00949EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/25 12:0 a.m.15 views

Crumbs - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-082

This module enables you to add navigation to your webpages colloquially referred to as "breadcrumbs". The module doesn't sufficiently sanitize custom HTML separators for breadcrumbs, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacke...

2.1CVSS5.9AI score0.00949EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/11 12:0 a.m.15 views

SA-CONTRIB-2015-075 - Perfecto - Open Redirect

The Perfecto module allows themers accurately calibrate the CSS by floating compositions over the page. The module doesn't sufficiently check user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it. CVE identifiers...

5.8CVSS6.3AI score0.01204EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/04 12:0 a.m.15 views

SA-CONTRIB-2015-065 - Registration codes - Multiple vulnerabilities

Registration codes module allows new account registrations only for users who provide a valid registration code. The module was not properly sanitizing user supplied text in some pages, thereby exposing XSS vulnerabilities. Additionally, some URLs were not protected against CSRF, a malicious user...

6.8CVSS5.7AI score0.01067EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/25 12:0 a.m.15 views

SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported

Watchdog Aggregator collects watchdog messages from external sites. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL. CVE...

7AI score
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.15 views

SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting (XSS)

SMS Framework module enables you to send and receive SMS messages from and into Drupal. The module doesn't sufficiently sanitize user supplied text in message previews, thereby exposing a reflected Cross Site Scripting vulnerability. An attacker could exploit this vulnerability by getting the...

2.6CVSS6AI score0.01178EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/18 12:0 a.m.15 views

SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The RESTWS Basic Auth submodule doesn't sufficiently disable page caching for authenticated requests thereby leaking potentially...

5CVSS6.2AI score0.01398EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/11 12:0 a.m.15 views

SA-CONTRIB-2015-045 - Node Access Product - Cross Site Scripting (XSS) - Unsupported

The Node Access Product module provides 'Node access' settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by taxonomy, by node, or by Views. The module doesn't sufficiently sanitize node titles leading to the...

3.5CVSS5.8AI score0.00954EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/21 12:0 a.m.15 views

SA-CONTRIB-2015-027 - Quizzler - Cross Site Scripting (XSS)

The Quizzler module allows you to create online quizzes and tests. Quizzes are nodes with questions attached. The module does not sanitize user input in the node title when displaying it on the page, allowing a malicious user to inject code, a Cross Site Scripting XSS attack. This vulnerability i...

3.5CVSS5.5AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2014/10/29 12:0 a.m.15 views

SA-CONTRIB-2014-106 - Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass

This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway's SIM and DPM payment protocols. Access Bypass The module doesn't sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2014/10/29 12:0 a.m.15 views

SA-CONTRIB-2014-104 - Addressfield Tokens - Cross Site Scripting

The Addressfield Tokens module extends the Addressfield module by adding full token support. The module doesn't sufficiently filter malicious user input, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.2AI score
Exploits0References11
Drupal
Drupal
added 2014/09/10 12:0 a.m.15 views

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates. User input is n...

5.4AI score
Exploits0References12
Drupal
Drupal
added 2014/08/27 12:0 a.m.15 views

SA-CONTRIB-2014-083 - Rules Link - Cross Site Scripting (XSS)

This module allows you to create links which trigger arbitrary functionality with the help of the Rules module. The module doesn't sufficiently sanitize the question and description strings when confirmation forms are displayed for triggering Rules links. This vulnerability is mitigated by the fa...

2.1CVSS6.5AI score0.00949EPSS
Exploits0References7
Drupal
Drupal
added 2014/07/16 12:0 a.m.15 views

SA-CONTRIB-2014-070 - Password Policy - Access Bypass

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords. Access Bypass 7.x only Password Policy has a Password Change Tab submodule which provides a tab for a user to change their password. Password Policy also has a...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2014/06/11 12:0 a.m.15 views

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Touch Theme is a light weight theme with modern look and feel. The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers...

2.1CVSS6.4AI score0.01264EPSS
Exploits0References10
Drupal
Drupal
added 2014/05/21 12:0 a.m.15 views

SA-CONTRIB-2014-054 - Views - Access Bypass

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module doesn't sufficiently check handler access when returning the list of handlers from viewplugindisplay::gethandlers. The...

7.2AI score
Exploits0References11
Total number of security vulnerabilities1940