1940 matches found
SA-CONTRIB-2009-016 - Wikitools - Cross site scripting
The Wikitools module provides several options to get a more wiki-like behavior for Drupal. On several pages, the Wikitools module prints out a parameter without escaping it. Malicious users are thus able to execute a cross site scripting XSS attack when they entice users to visit a specifically...
SA-2008-072 - Storm Project - SQL injection
Storm SpeedTech Organization and Resource Manager is a project management application for Drupal. Unfortunately the Storm module allows users with access to the storm projects to enter input values which are then used directly in SQL queries without being sanitized, enabling SQL injection attacks...
SA-2008-068 - Localization client and Localization server - Cross site request forgery
The Localization client module allows you to translate the interface of your Drupal site from within each page as you go. The Localization server module provides a community translation interface for translating Drupal modules and themes and is primarily used by Drupal translation teams. The serv...
SA-2008-065 - Node Clone - Access bypass
The third-party Node Clone module enables users to make a copy of an existing item of content a node, and then edit that copy. The module contains a flaw that allows a user with the 'clone node' permission to potentially bypass normal viewing access restrictions, for example allowing the user to...
SA-2008-052 - Link To Us - Cross site scripting
The Link To Us module creates a page to display uploaded banners that can be used by others to link to your Drupal site. The module will create well formed SEO links with full title, alt and anchor text determined by the node title, taxonomy term or other pages that are directed to the module...
SA-2008-051 - Mailsave - Cross site scripting
Mailsave is a module that is designed to interact with mailhandler. It will detach files that are emailed to the site and save them with the node. The module trusts the mimetype that is send with the file enabling malicious users with the ability to upload files to execute cross site scripting...
SA-2008-036 - Profile search - SQL Injection
The Profile search module provides a way for users to search users by all profile fields, as provided by the profile module in core. Numerous values are used in SQL strings without being properly sanitized. Users with the "access user profiles" permission can use these values to execute SQL...
SA-2008-033 - Taxonomy Image - Cross site scripting
The contributed module Taxonomy Image allows the display of images associated with taxonomy terms. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages Cross Site Scripting. This may lead to administrator access. Versions affect...
SA-2008-029 - E-Publish - Cross site scripting and Cross site request forgeries
The contributed module E-Publish helps organize a group of nodes into a publication, such as a newspaper, magazine or newsletter. The Drupal Forms API protects against Cross Site Request Forgeries CSRF, where a malicious site can cause a user to unintentionally take actions on another site where...
SA-2008-021 - Live - Cross site request forgery
The contributed module Live provides previews of content items while typing them. Live is vulnerable to a cross site request forgery which may lead to execution of PHP code when an authenticated, privileged user visits a malicious site. Versions affected Live for Drupal 5.x before Live 5.x-0.1...
SA-2008-015 - Comment Upload - Arbitrary file upload
Comment upload enables file attachments for comments. To do so it uses and subverts various functions from the upload module that are present in Drupal core. In certain, common cases, comment upload passes incorrect data to the upload validation functions, resulting in a validation bypass, which...
SA-2008-008 - Meta tags - Arbitrary code execution
The Meta tags module, also known as Nodewords, adds HTML META tags to node, panel and view pages. If the site is configured to allow images in the body of any node type, any user that can create this node type is able to execute arbitrary code on the server. Versions affected Meta tags for Drupal...
SA-2007-029 - Drupal core - User deletion cross site request forgery
The Drupal Forms API protects against cross site request forgeries CSRF, where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected again...
Forward - Access bypass
The Forward module is a module that allows site administrators to add links to postings that let users email the current page to a third party. By manipulating URL arguments, authenticated and anonymous users are able to access posts that should have been restricted by a node access module such a...
Secure site - Access bypass
Secure site allows one to protect a website with a browser-based password. These usernames and passwords are tied directly to the Drupal user database. The site will be invisible to search engines and other crawlers, but still allows access to certain users. A serious design flaw allows the acces...
Captcha - response validation bypass
Captcha validation can be bypassed by manipulating request variables while posting or by providing certain incorrect responses. This defeats the purpose of the captcha and makes automated submission possible. Versions affected All versions of Captcha 4.7.x prior to Captcha 4.7-1.2. All versions o...
IMCE file handling vulnerabilities
IMCE has two vulnerabilities with regards to file handling. 1. By passing relative paths to IMCE's delete function, a malicious user with the "delete files" permission can delete files anywhere in the directory tree depending on the access permissions of the webserver. 2. IMCE allows the upload...
DRUPAL-SA-2005-008 XSS and HTTP header injection vulnerability with uploaded files
Paul Laudanski informed us that it's possible to attach files that are able to run Javascript under Internet Explorer. Further investigation of the problem revealed that the same method can be used to inject arbitrary HTTP headers. Versions affected Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5...
Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043
This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets. The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability...
Examples for Developers - Moderately critical - Access bypass - SA-CONTRIB-2026-044
The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality. The "Read from a file" feature implemented by the fileexample submodule can be used to expose any file that PHP can access. Therefore, the fileexample...
Composer - Critical - Unsupported - SA-CONTRIB-2026-046
The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read:...
Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036
This module enables you to open content already on the page within a colorbox. The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an...
Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012
This module allows site builders to create so-called "themerule" config entities. These theme rules can render pages with different themes than the default when certain conditions match. The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enab...
Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011
This module enables you to add icons to CKEditor. The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios...
Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009
This module allows content to be edited in-place. The module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...
Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125
This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites. The module doesn't sufficiently protect export routes from cross-site request forgery CSRF attacks, potentially allowin...
Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120
This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages. The module doesn't sufficiently protect its confirmation routes from cross-site request forgery CSRF, allowing the logout confirmation route to be triggered without user...
AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119
This modules provides the ability to chat with an AI Agent using a large-language model LLM provider for different purposes. The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting XSS vulnerability where an attacker can use prompt injections on user-generated...
CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118
The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration. This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system. This access bypass is possible for any account with a Vie...
Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024
This module adds a formatter for link fields that displays the current entity with another view mode inside the link. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal core has been released bu...
General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018
The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when creating tasks...
Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019
The Cache Utility module provides an ability to view status and flush various caches. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when flushing a cache...
AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004
The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes. The module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged. This vulnerability is...
Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064
This module integrates Tarte au citron JS library with Drupal and prevent services to be loaded without user consent. Administrators can enable and configure services which will be managed by Tarte au citron. When Google Tag Manager GTM service is enabled, an attacker can load a GTM container tha...
Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030
This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths. The module doesn't respect custom node access restrictions implemented through hookENTITYTYPEaccess hooks meaning the titles of restricted nod...
Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037
This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site. The module doesn't sufficiently validate access when the JSONAPI module is also installed. This vulnerability is mitigated by the fact that it only affects sites...
Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032
Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection...
GridStack - Less critical - Cross Site Scripting - SA-CONTRIB-2023-024
This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI. The module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact th...
Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026
This module enables you to use complex autocompletion in forms. The module doesn't sufficiently filter text in the data it exposes, allowing a malicious user to enter specially crafted tags to exploit a Cross Site Scripting XSS attack. This vulnerability is mitigated by the fact that an attacker...
Consent Popup - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-017
The Consent Popup provides a configurable popup that requires acceptance of a question before the visitor can continue, typically used for age consent. The module doesn't sufficiently sanitizes the text on the block leading to a cross site scripting XSS vulnerability. This vulnerability is...
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043
Open Social is a Drupal distribution for online communities. Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct...
Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported This module was...
SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028
SVG Formatter module provides support for using SVG images on your website. Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images...
Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025
This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some conten...
Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024
The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...
Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023
This module enables you to manage and delete files. The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created. To mitigate this issue without...
Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003
This module enables you to integrate various What-You-See-Is-What-You-Get WYSIWYG rich text editors into Drupal fields with text formats allowing markup for easier editing. The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. ...