Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2013/09/11 12:0 a.m.15 views

SA-CONTRIB-2013-074 - MediaFront - Cross Site Scripting (XSS)

The MediaFront module provides a front-end media presentation layer for Drupal The module doesn't sufficiently filter user input from MediaFront preset settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mediafront" to exploit th...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References12
Drupal
Drupal
added 2013/08/28 12:0 a.m.15 views

SA-CONTRIB-2013-071 - Flag - Cross Site Scripting

The Flag module allows creation of customizable flags on entities. Flag does not properly sanitize the name of a flag on the main flag administration page, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability is...

5.6AI score
Exploits0References9
Drupal
Drupal
added 2013/02/20 12:0 a.m.15 views

SA-CONTRIB-2013-022 - Menu Reference - Cross site scripting (XSS)

Module Menu Reference doesn't escape HTML that contains menu link title displayed in Menu Reference "Rendered links" formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu items" to insert HTML code in menu link titl...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References9
Drupal
Drupal
added 2012/10/03 12:0 a.m.15 views

SA-CONTRIB-2012-151 - Commerce Extra Panes - Cross Site Request Forgery

This module, an add-on for Drupal Commerce, allows site builders to place one or more nodes in one of the checkout phases of an order. The module doesn't sufficiently confirm the intent of a site builder when taking certain administrative operations. This could allow an attacker to trick an...

6.8CVSS6.3AI score0.00711EPSS
Exploits0References8
Drupal
Drupal
added 2012/08/29 12:0 a.m.15 views

SA-CONTRIB-2012-133 - Taxonomy Image - Cross Site Scripting (XSS) & Arbitrary PHP code execution

The taxonomyimage module allows site administrators to associate images with taxonomy terms. The module did not sufficiently filter retrieval of taxonomy images, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This...

7.7AI score
Exploits0References13
Drupal
Drupal
added 2012/08/08 12:0 a.m.15 views

SA-CONTRIB-2012-123 - Shibboleth authentication - Access Bypass

The Shibboleth authentication module provides user authentication with Shibboleth single sign-on systems both v1.3 and v2.0 as well as some authorization features automatic role assignment based on Shibboleth attributes. The module doesn't sufficiently confirm the user's active status in Drupal...

7.3AI score
Exploits0References8
Drupal
Drupal
added 2012/07/11 12:0 a.m.15 views

SA-CONTRIB-2012-112 - Ubercart SecureTrading - Failure to follow guideline/specification

The Ubercart SecureTrading Payment Method module provides an Ubercart payment method for the SecureTrading.com gateway. The module's payment method did not properly verify the validity of payment notification information. A malicious user could trick a site into thinking that an item has been pai...

6.9AI score
Exploits0References9
Drupal
Drupal
added 2012/04/11 12:0 a.m.15 views

SA-CONTRIB-2012-059 - Autosave - Cross Site Request Forgery

CVE: CVE-2012-2097 This module enables snapshots of your node edit form to be saved in the background while you are editing to help prevent the data from being lost. The module doesn't sufficiently protect against a user being tricked into submitting saved results to a node. Versions affected...

6.8CVSS6.3AI score0.00933EPSS
Exploits1References11
Drupal
Drupal
added 2012/03/28 12:0 a.m.15 views

SA-CONTRIB-2012-045 - AddToAny - Cross Site Scripting

CVE: CVE-2012-2072 This module enables you to add Lockerz/AddToAny's universal sharing buttons to your site. Previously, the module did not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fac...

2.1CVSS5.6AI score0.01064EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/07 12:0 a.m.15 views

SA-CONTRIB-2012-034 - Node Recommendation Cross Site Scripting (XSS)

CVE: CVE-2012-1659 This module shows users other nodes that they might be interested in based on a simple logic and using taxonomy. The aim of this module is to provide sensible defaults and an easy configuration for less-technical users and to allow it to be manually overriden. The module doesn'...

2.1CVSS6.3AI score0.01089EPSS
Exploits0References11
Drupal
Drupal
added 2011/10/05 12:0 a.m.15 views

SA-CONTRIB-2011-044 - Homebox for Organic Groups Cross Site Scripting

Homebox allows site administrators to create dashboards for their users, using blocks as widgets. Blocks in a Homebox page are resizeable, and reorderable by dragging. Homebox OG is a submodule of Homebox which allows Organics Groups administrators to specify a Homebox to be used as the group...

6.4AI score
Exploits0References11
Drupal
Drupal
added 2011/07/20 12:0 a.m.15 views

SA-CONTRIB-2011-029 - Taxonomy Filter - Cross Site Scripting

The Taxonomy Filter module enables users to filter taxonomy listings to find content tagged by multiple terms. Older versions of the module were susceptible to a Cross Site Scripting XSS attack by way of vocabulary names. The vulnerability was mitigated by the fact that an attacker must have a ro...

5.4AI score
Exploits0References10
Drupal
Drupal
added 2011/06/08 12:0 a.m.15 views

SA-CONTRIB-2011-024 - Spam - Cross Site Request Forgery (CSFR)

The Spam module provides numerous tools to auto-detect and deal with spam content that is posted to your site, without having to rely on third-party services. The Spam module provides a trainable Bayesian filter, automatic learning of spammer URLs, flagging of content with an excessive number of...

6.7AI score
Exploits0References9
Drupal
Drupal
added 2011/04/27 12:0 a.m.15 views

SA-CONTRIB-2011-017 - Save Draft - Validation Bypass

The Save Draft module adds a "Save as draft" button to the node form, letting content creators easily save a post in unpublished draft form. The module adds validation to individual form actions, thereby bypassing any form-wide validation that is normally performed before saving content. This is ...

7.1AI score
Exploits0References10
Drupal
Drupal
added 2011/03/16 12:0 a.m.15 views

SA-CONTRIB-2011-013 - Tagadelic - Cross Site Scripting (XSS)

Tagadelic module offers various ways to display terms and vocabularies in a tag cloud on a page or in a block. The module does not sanitize the taxonomy vocabulary names and descriptions when displayed on listing pages or blocks, leading to a Cross-Site Scripting XSS vulnerability that may lead t...

5.9AI score
Exploits0References10
Drupal
Drupal
added 2011/03/02 12:0 a.m.15 views

SA-CONTRIB-2011-011 - Secure Pages - Open redirect

The Secure Pages module allows administrators to choose certain URLs that must be delivered over HTTPS. An open redirection bug allows an attacker to formulate a URL in a way that redirects the user to an arbitrarily provided URL. Versions affected Secure Pages module for Drupal 6.x versions prio...

6.9AI score
Exploits0References9
Drupal
Drupal
added 2011/02/02 12:0 a.m.15 views

SA-CONTRIB-2011-008 - Chatroom - Cross Site Scripting (XSS) and Cross Site Request Forgery

The Chatroom module provides real-time chat capabilities to Drupal. Vulnerability: Cross Site Scripting The module does not properly escape the contents of chat messages in pages listing the chats contained in a chatroom, leading to a Cross Site Scripting XSS vulnerability. Any user with permissi...

5.5AI score
Exploits0References10
Drupal
Drupal
added 2011/01/19 12:0 a.m.15 views

SA-CONTRIB-2011-003 - Janrain Engage (RPX) - Multiple Vulnerabilities

RPX recently renamed Janrain Engage is a service that acts as a middleman between a site and external login providers like Facebook, Yahoo, WindowsLive, etc. As part of this functionality it offers the ability to take a user's avatar on these services and download it for use as the user's profile...

6.9AI score
Exploits0References9
Drupal
Drupal
added 2010/09/29 12:0 a.m.15 views

SA-CONTRIB-2010-097 - Imagemenu - Multiple vulnerabilities

The Imagemenu module allows users to create and maintain image based menus. The Drupal 5 branch of this module contains a Cross Site Request Forgery CSRF vulnerability which could allow a malicious user to trick an administrator into unintentionally enabling or disabling menu items provided by th...

6.1AI score
Exploits0References10
Drupal
Drupal
added 2010/08/11 12:0 a.m.15 views

SA-CONTRIB-2010-082 - Print - Local file read access

The Printer, e-mail and PDF versions "print" module provides printer-friendly versions of content, including a PDF version that is generated by one of three supported generation tools dompdf, TCPDF and wkhtmltopdf. When using the wkhtmltopdf PDF generation tool, that tool is able to access local...

6.8AI score
Exploits0References9
Drupal
Drupal
added 2010/08/11 12:0 a.m.15 views

SA-CONTRIB-2010-084 - OpenID - Authentication bypass

The OpenID module provides users the ability to login to sites using an OpenID account. The OpenID module doesn't implement the all required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks. Specifically: - OpenID should verify that a "openid.responsenonce" has...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2010/08/11 12:0 a.m.15 views

SA-CONTRIB-2010-088 - Content Construction Kit (CCK) - Access Bypass

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module provides a backend URL that is used for asynchronous requests by the "autocomplete" widget to locate nodes the user can reference. In som...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2010/08/11 12:0 a.m.15 views

SA-CONTRIB-2010-080 - Privatemsg - Cross Site Scripting

The Privatemsg module allows to send private messages between users. The module does not properly escape user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Any user with permission to write private messages is vulnerable to attack. Versions affected...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2010/05/19 12:0 a.m.15 views

SA-CONTRIB-2010-058: Chaos tool suite - Multiple vulnerabilities

The Chaos tool suite ctools is primarily a set of APIs and tools to improve the developer experience. This module was found to have multiple vulnerabilities. Cross site scripting XSS The module did not properly sanitize node titles under certain circumstances, resulting in multiple cross-site...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2010/05/12 12:0 a.m.15 views

SA-CONTRIB-2010-044: Bibliography - Cross Site Scripting

The Bibliography module enables users to manage and display lists of scholarly publications. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. This is mitigated by the fact that only users with the 'administer...

6.2AI score
Exploits0References7
Drupal
Drupal
added 2010/05/12 12:0 a.m.15 views

SA-CONTRIB-2010-043: Wordfilter - Cross Site Scripting

The Wordfilter module implements an input filter that rewrites content to remove improper or foul language. Wordfilter does not sanitize the list of words that are filtered along with their replacements, allowing users with permissions to manage the list of banned words to insert arbitrary HTML a...

5.9AI score
Exploits0References8
Drupal
Drupal
added 2010/03/17 12:0 a.m.15 views

SA-CONTRIB-2010-028 - Tag Order - Cross Site Scripting

Tag Order module allows you to select vocabularies whose terms you would like to preserve in the original order entered per node. Taxonomy vocabulary names are not sanitized when being displayed on an administrative page, leading to a cross-site scripting XSS vulnerability. Such an attack may lea...

6AI score
Exploits0References6
Drupal
Drupal
added 2010/03/03 12:0 a.m.15 views

SA-CONTRIB-2010-022 - Internationalization - Arbitrary code execution

The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them. As translators can translate texts before they go through the Input filters, using some filters like the PHP...

7.4AI score
Exploits0References7
Drupal
Drupal
added 2009/11/25 12:0 a.m.15 views

SA-CONTRIB-2009-110 - Taxonomy Timer - SQL Injection

The Taxonomy Timer module enables users to set expiration dates for Taxonomy Terms. At the time of expiration other terms can be assigned, or nodes can be unpublished. In some cases the module does not properly sanitize user input, leading to a SQL Injection vulnerability. Such an attack may lead...

8.2AI score
Exploits0References7
Drupal
Drupal
added 2009/11/18 12:0 a.m.15 views

SA-CONTRIB-2009-106 - Agreement - Cross Site Scripting

The Agreement module enables the display of a text-based agreement think "Terms of Service" that users of a particular role must accept before they are given access to the site. The module does not sanitize some of the user-supplied fields, leading to a Cross Site Scripting XSS vulnerability...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2009/11/04 12:0 a.m.15 views

SA-CONTRIB-2009-098 - Zoomify - Cross Site Scripting

The Zoomify module integrates the Zoomify Flash applet into Drupal which can be used to pan and zoom on large images. Images are first preprocessed in order for Zoomify to work. The module fails to sanitize a value in the node title, leading to a Cross Site Scripting XSS vulnerability. Versions...

6.4AI score
Exploits0References7
Drupal
Drupal
added 2009/10/28 12:0 a.m.15 views

SA-CONTRIB-2009-085 - Insert Node - Cross Site Scripting

The Insert Node module provides an input filter that enables a node to be inserted within the body field of another node. The module fails to sanitize the inserted node, making it vulnerable to a cross site scripting XSS attack. Versions affected Insert Node module versions for Drupal 5.x prior t...

6AI score
Exploits0References7
Drupal
Drupal
added 2009/10/28 12:0 a.m.15 views

SA-CONTRIB-2009-089 - Storm - Access Bypass

The Storm module provides a project management application for Drupal. The module suffers a vulnerability whereby nodes of type 'storminvoiceitem' are not respecting the expected access permissions, potentially exposing the node title to unauthorized users. Versions affected Versions of Storm for...

7.1AI score
Exploits0References5
Drupal
Drupal
added 2009/10/14 12:0 a.m.15 views

DRUPAL-SA-CONTRIB-2009-073 - Printer, e-mail and PDF versions multiple vulnerabilities

The Printer, e-mail and PDF versions "print" module provides printer-friendly versions of content. When displaying the list of links in a page, the module does not properly escape this data, leading to a cross site scripting XSS vulnerability. In addition, the "Send by e-mail" sub-module does not...

6AI score
Exploits0References7
Drupal
Drupal
added 2009/08/19 12:0 a.m.15 views

SA-CONTRIB-2009-051 - ImageCache - Multiple vulnerabilities

ImageCache allows one to setup presets for image processing to create derivatives. ImageCache will dynamically generate a derivative on access if it doesn't exist. Cross site scripting Users with the "administer imagecache" permission are able to execute cross site scripting attacks because the...

6.8AI score
Exploits0References8
Drupal
Drupal
added 2009/08/05 12:0 a.m.15 views

SA-CONTRIB-2009-050 - Webform report - Cross site scripting

Webform report allows users to create simple, dynamic reports based on data collected by the webform module. When displaying the results of Webform submissions, the module does not properly escape user entered data, leading to a cross-site scripting XSS vulnerability. Versions affected Webform...

6.1AI score
Exploits0References4
Drupal
Drupal
added 2009/07/29 12:0 a.m.15 views

SA-CONTRIB-2009-047 - Calendar - Cross Site Scripting

The Calendar module enables Views module to display any Date module date field as a calendar. The module does not properly escape user input when displaying titles of content types that have Date fields. A user with permission to create new content types including via the Date module's Date Tools...

6AI score
Exploits0References5
Drupal
Drupal
added 2009/07/15 12:0 a.m.15 views

SA-CONTRIB-2009-042 - Submitted By - Cross Site Scripting

Submitted By is a module to let you control the format of the "Submitted by" information on your content per content type. This module does not properly escape user input used in building the string to display the "submitted by" text. Only administrators with the 'administer content types'...

5.8AI score
Exploits0References6
Drupal
Drupal
added 2009/06/25 12:0 a.m.15 views

SA-CONTRIB-2009-039 - Links Package - Cross Site Scripting

The Links Package is a multi-module set for managing URL links in a master directory, and attaching them in various ways to your content pages. The Links Related module of the Links Package does not properly escape user input used as the title on certain pages. A user with privileges to create...

6AI score
Exploits0References8
Drupal
Drupal
added 2009/06/10 12:0 a.m.15 views

SA-CONTRIB-2009-034 - Taxonomy manager - Cross site scripting

The Taxonomy manager module provides additional tools for administering taxonomy through Drupal. A vocabulary gets displayed in a dynamic tree view, where parent terms can be expanded to list their nested child terms or can be collapsed. The module does not properly escape some user-supplied data...

6AI score
Exploits0References7
Drupal
Drupal
added 2009/06/10 12:0 a.m.15 views

SA-CONTRIB-2009-037 - Views - Multiple vulnerabilities

The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. In the Views UI administrative interface when configuring exposed filters, user input presented as possible exposed filters is not correctly filtered, potentially allowing maliciou...

5.6AI score
Exploits0References10
Drupal
Drupal
added 2009/06/03 12:0 a.m.15 views

SA-CONTRIB-2009-032 - Webform - Cross-site scripting

The Webform module provides a node type which is typically used to enable site visitors to fill in questionnaires, contact or request/registration forms, surveys, polls, or other forms on a Drupal site. When displaying the results of Webform submissions, the module does not properly filter user...

6.2AI score
Exploits0References8
Drupal
Drupal
added 2009/04/29 12:0 a.m.15 views

SA-CONTRIB-2009-025 - Fivestar - Cross-site request forgery

The Fivestar module provides a voting widget for content and records votes using Ajax. The URL used by the javascript to register votes is vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly vote for content. Versions affected Fivestar 5.x-1.x prior to...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2009/04/15 12:0 a.m.15 views

SA-CONTRIB-2009-019 - Localization client - Cross site scripting

The Localization client module allows you to translate the interface of your Drupal site from within each page as you go. When displaying translatable strings and their completed translations, the module does not escape the data. If used to translate the Drupal core interface, this is not a...

6.3AI score
Exploits0References4
Drupal
Drupal
added 2009/03/25 12:0 a.m.15 views

SA-CONTRIB-2009-015 - Tokenauth - Access bypass

The Token authentication module allows access to RSS feeds via a token without having to provide your username and password to the site. Token authentication did not properly use the Drupal Form API which would allow a malicious user to learn the site administrator's token giving them the ability...

7.2AI score
Exploits0References5
Drupal
Drupal
added 2009/03/25 12:0 a.m.15 views

SA-CONTRIB-2009-016 - Wikitools - Cross site scripting

The Wikitools module provides several options to get a more wiki-like behavior for Drupal. On several pages, the Wikitools module prints out a parameter without escaping it. Malicious users are thus able to execute a cross site scripting XSS attack when they entice users to visit a specifically...

6.2AI score
Exploits0References7
Drupal
Drupal
added 2008/12/03 12:0 a.m.15 views

SA-2008-072 - Storm Project - SQL injection

Storm SpeedTech Organization and Resource Manager is a project management application for Drupal. Unfortunately the Storm module allows users with access to the storm projects to enter input values which are then used directly in SQL queries without being sanitized, enabling SQL injection attacks...

8.1AI score
Exploits0References6
Drupal
Drupal
added 2008/10/22 12:0 a.m.15 views

SA-2008-068 - Localization client and Localization server - Cross site request forgery

The Localization client module allows you to translate the interface of your Drupal site from within each page as you go. The Localization server module provides a community translation interface for translating Drupal modules and themes and is primarily used by Drupal translation teams. The serv...

6.6AI score
Exploits0References10
Drupal
Drupal
added 2008/10/15 12:0 a.m.15 views

SA-2008-065 - Node Clone - Access bypass

The third-party Node Clone module enables users to make a copy of an existing item of content a node, and then edit that copy. The module contains a flaw that allows a user with the 'clone node' permission to potentially bypass normal viewing access restrictions, for example allowing the user to...

7AI score
Exploits0References6
Drupal
Drupal
added 2008/09/17 12:0 a.m.15 views

SA-2008-052 - Link To Us - Cross site scripting

The Link To Us module creates a page to display uploaded banners that can be used by others to link to your Drupal site. The module will create well formed SEO links with full title, alt and anchor text determined by the node title, taxonomy term or other pages that are directed to the module...

5.7AI score
Exploits0References4
Total number of security vulnerabilities1940