Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported This module was...

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

SVG Formatter module provides support for using SVG images on your website. Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images...

Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025

This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some conten...

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Super Login - Critical - Access bypass - SA-CONTRIB-2022-001

This module enables you to login with an email address. The module doesn't sufficiently check if a user account is active when using email login. This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked...

Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003

This module enables you to integrate various What-You-See-Is-What-You-Get WYSIWYG rich text editors into Drupal fields with text formats allowing markup for easier editing. The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. ...

OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044

This module enables users to authenticate through their Microsoft Azure AD account. The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account. This...

Linkit - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-042

Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. It does not sufficiently sanitize user input. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit an entity bund...

Domain Group - Critical - Access bypass - SA-CONTRIB-2021-037

This module enables sites to define a domain from Domain Access that points directly to a group page. The module doesn't sufficiently manage the access to content administrative paths allowing an attacker to see and take actions on content nodes they should be allowed to...

Webform - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-026

The Webform module uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Webform. An attacker that can create or edit content even without access to CKEditor themselves may be able to exploit one or more Cross-Site Scripting XSS vulnerabilities to...

Frequently Asked Questions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2021-012

The Frequently Asked Questions faq module allows users, with appropriate permissions, to create question and answer pairs which they want displayed on the 'faq' page. The 'faq' page is automatically generated from the FAQ nodes configured. Basic Views layouts are also provided and can be customis...

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008

This module enables you to add customizable facets on search pages, from core search or searches provided by Search API. The module doesn't sufficiently filter all output in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

SAML Authentication - Moderately critical - Access bypass - SA-CONTRIB-2021-006

The SAML Authentication module allows users to authenticate against a SAML identity provider to login to your Drupal site. The module doesn't sufficiently protect against unauthorized local access, by way of using the 'password reset' facility, for users who are supposed to only be able to log in...

Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

Media oEmbed does not properly sanitize certain filenames as described in SA-CORE-2020-012...

Commerce Core - Moderately critical - Access bypass - SA-CONTRIB-2020-020

Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never...

Webform - Critical - Access bypass - SA-CONTRIB-2020-016

This webform module enables you to build 'Term select' and 'Term checkboxes' elements. The module doesn't sufficiently check term 'view' access when rendering the 'Term select' and 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term select' and 'Term checkboxes' elements...

SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005

SVG Formatter module provides support for using SVG images on your website. This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab. This vulnerability is mitigated by the fact that an attacker must be able to upload SVG fil...

Bypass Form Validations - Critical - Unsupported - SA-CONTRIB-2019-079

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed. The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat even...

Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071

This module allows display of a site's content in AMP format. The module doesn't sufficiently check access on unpublished or restricted content...

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server. The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which m...

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms. The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of i...

Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048

This module enables you to use special routes for user registration with special roles and custom field sets defined for the role. The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role. This...

RESTful - Critical - Remote code execution - SA-CONTRIB-2019-041

This resolves issues described in SA-CORE-2019-003 for this module...

Views (for Drupal 7) - Less critical - Cross site scripting - SA-CONTRIB-2019-036

This module enables you to create customized lists of data. The module doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that a view must display a field with the format "Full data serialized" and an...

Views (for Drupal 7) - Moderately critical - Information disclosure - SA-CONTRIB-2019-035

This module enables you to create customized lists of data. The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances. This vulnerability is mitigated by the fact that a view must have an...

Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012

This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination. The module did not verify that the links provided to the...

E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080

This module allows for integration of Signature Pad, an electronic-signing script, into Drupal for both nodes content, the Field API FAPI, and Webforms. The module doesn't sufficiently filter user input when displaying a signature. The vulnerability is mitigated by the fact that an attacker must...

Password Policy - Less critical - Denial of Service - SA-CONTRIB-2018-077

The Password Policy module makes it possible to set constraints on user passwords which disallow certain passwords. The "digit placement" constraint is vulnerable to Denial of Service attacks if an attacker submits specially crafted passwords which can cause a site to become unresponsive. This...

Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation e.g. an entity reference field. The components that display related...

Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059

This module enables you to create fields for storing decimal values as two integers numerator and denominator for maximum precision. The module doesn't sufficiently filter XSS strings out of field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the abili...

litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and...

Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042

The Genpass module makes the password field optional or hidden on the add new user page admin & registration. If the password field is not set during registration, the system generates a password. The module doesn't use a strong source of randomness, creating weak and predictable passwords. This...

Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043

This module enables you to reset passwords for all users based upon their user role. The module doesn't use a strong source of randomness, creating weak and predictable passwords. This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker,...

Dynamic Banner - Less critical - Cross site scripting - SA-CONTRIB-2018-011

This module enables a site to display different banners via blocks on different pages depending upon specific criteria. The module doesn't sufficiently filter output of banner data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page. This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view. Th...

Domain Integration (Drupal 7) - Moderately critical - Access bypass - SA-CONTRIB-2017-084

This module enables you to integrate the Domain module with other popular Drupal modules. The Domain Integration Login Restrict sub-module enables you to restrict access to a domain based on the assigned domains on a user. The Domain Integration Login Restrict sub-module doesn't sufficiently chec...

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form. When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this...

H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

The H5P module helps create interactive videos, question sets, drag and drop questions, multichoice questions, boardgames, presentations, flashcards and more using Drupal. The module does not sufficiently filter text prior to printing it back to the page, leading to a Reflected Cross Site Scripti...

Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

Commerce Invoices allows you to enter an Invoice number, Company name and Amount and it will generate an Invoice that the client can pay on your site using any payment method supported by Drupal commerce. SQL Injection The module did not properly use Drupal's database API when querying the databa...

Relation - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-063

This module enables you to store relationships between entities as fieldable entities. The module doesn't sufficiently check permissions when displaying related entities labels with the Relation Dummy Field module widget. This vulnerability is mitigated by the fact that the optional Relation Dumm...

Better field descriptions - Critical - XSS - SA-CONTRIB-2017-064

This module enables you to add themeable descriptions to fields in forms. The module doesn't sufficiently sanitize descriptions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "add better descriptions to fields". CVE identifiers issued ACVE...

Search 404 - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-053

The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found. The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting XSS vulnerability. This...

Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048

This theme enables you to bridge the gap between the Bootstrap Framework and Drupal. The theme does not sufficiently exclude the submitted password value when an incorrect value has been submitted Versions affected bootstrap 8.x-3.x versions prior to 8.x-3.5. Drupal core is not affected. If you d...

Filemaker Form - Critical - Unsupported - SA-CONTRIB-2017-37

Easily create forms in Drupal that submit data to Filemaker databases which are hosted on Filemaker Server. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

Book access - Critical - Unsupported - SA-CONTRIB-2017-35

This module alters the book module permissions model by letting you specify access/modify/delete rights on a per-book basis. Normally, book-related permissions provided by drupal core apply across all books, but this module will let you drill down as granular as to letting specific users have...

Private - Critical - Access bypass - DRUPAL-SA-CONTRIB-2017-031

This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions. The module doesn't always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes...

Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module accepts user submitted data in PHP's serialization format "Content-Type: application/vnd.php.serialized" which can lead to arbitrary remote code execution. This...