Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2009/03/25 12:0 a.m.15 views

SA-CONTRIB-2009-016 - Wikitools - Cross site scripting

The Wikitools module provides several options to get a more wiki-like behavior for Drupal. On several pages, the Wikitools module prints out a parameter without escaping it. Malicious users are thus able to execute a cross site scripting XSS attack when they entice users to visit a specifically...

6.2AI score
Exploits0References7
Drupal
Drupal
added 2008/12/03 12:0 a.m.15 views

SA-2008-072 - Storm Project - SQL injection

Storm SpeedTech Organization and Resource Manager is a project management application for Drupal. Unfortunately the Storm module allows users with access to the storm projects to enter input values which are then used directly in SQL queries without being sanitized, enabling SQL injection attacks...

8.1AI score
Exploits0References6
Drupal
Drupal
added 2008/10/22 12:0 a.m.15 views

SA-2008-068 - Localization client and Localization server - Cross site request forgery

The Localization client module allows you to translate the interface of your Drupal site from within each page as you go. The Localization server module provides a community translation interface for translating Drupal modules and themes and is primarily used by Drupal translation teams. The serv...

6.6AI score
Exploits0References10
Drupal
Drupal
added 2008/10/15 12:0 a.m.15 views

SA-2008-065 - Node Clone - Access bypass

The third-party Node Clone module enables users to make a copy of an existing item of content a node, and then edit that copy. The module contains a flaw that allows a user with the 'clone node' permission to potentially bypass normal viewing access restrictions, for example allowing the user to...

7AI score
Exploits0References6
Drupal
Drupal
added 2008/09/17 12:0 a.m.15 views

SA-2008-052 - Link To Us - Cross site scripting

The Link To Us module creates a page to display uploaded banners that can be used by others to link to your Drupal site. The module will create well formed SEO links with full title, alt and anchor text determined by the node title, taxonomy term or other pages that are directed to the module...

5.7AI score
Exploits0References4
Drupal
Drupal
added 2008/09/17 12:0 a.m.15 views

SA-2008-051 - Mailsave - Cross site scripting

Mailsave is a module that is designed to interact with mailhandler. It will detach files that are emailed to the site and save them with the node. The module trusts the mimetype that is send with the file enabling malicious users with the ability to upload files to execute cross site scripting...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2008/07/18 12:0 a.m.15 views

SA-2008-036 - Profile search - SQL Injection

The Profile search module provides a way for users to search users by all profile fields, as provided by the profile module in core. Numerous values are used in SQL strings without being properly sanitized. Users with the "access user profiles" permission can use these values to execute SQL...

8.3AI score
Exploits0References4
Drupal
Drupal
added 2008/06/11 12:0 a.m.15 views

SA-2008-033 - Taxonomy Image - Cross site scripting

The contributed module Taxonomy Image allows the display of images associated with taxonomy terms. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and script code on pages Cross Site Scripting. This may lead to administrator access. Versions affect...

7.1AI score
Exploits0References6
Drupal
Drupal
added 2008/04/23 12:0 a.m.15 views

SA-2008-029 - E-Publish - Cross site scripting and Cross site request forgeries

The contributed module E-Publish helps organize a group of nodes into a publication, such as a newspaper, magazine or newsletter. The Drupal Forms API protects against Cross Site Request Forgeries CSRF, where a malicious site can cause a user to unintentionally take actions on another site where...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2008/03/23 12:0 a.m.15 views

SA-2008-021 - Live - Cross site request forgery

The contributed module Live provides previews of content items while typing them. Live is vulnerable to a cross site request forgery which may lead to execution of PHP code when an authenticated, privileged user visits a malicious site. Versions affected Live for Drupal 5.x before Live 5.x-0.1...

7.1AI score
Exploits0References3
Drupal
Drupal
added 2008/01/30 12:0 a.m.15 views

SA-2008-015 - Comment Upload - Arbitrary file upload

Comment upload enables file attachments for comments. To do so it uses and subverts various functions from the upload module that are present in Drupal core. In certain, common cases, comment upload passes incorrect data to the upload validation functions, resulting in a validation bypass, which...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2008/01/14 12:0 a.m.15 views

SA-2008-008 - Meta tags - Arbitrary code execution

The Meta tags module, also known as Nodewords, adds HTML META tags to node, panel and view pages. If the site is configured to allow images in the body of any node type, any user that can create this node type is able to execute arbitrary code on the server. Versions affected Meta tags for Drupal...

7.8AI score
Exploits0References4
Drupal
Drupal
added 2007/10/17 12:0 a.m.15 views

SA-2007-029 - Drupal core - User deletion cross site request forgery

The Drupal Forms API protects against cross site request forgeries CSRF, where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected again...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2007/07/09 12:0 a.m.15 views

Forward - Access bypass

The Forward module is a module that allows site administrators to add links to postings that let users email the current page to a third party. By manipulating URL arguments, authenticated and anonymous users are able to access posts that should have been restricted by a node access module such a...

6.9AI score
Exploits0References4
Drupal
Drupal
added 2007/02/16 12:0 a.m.15 views

Secure site - Access bypass

Secure site allows one to protect a website with a browser-based password. These usernames and passwords are tied directly to the Drupal user database. The site will be invisible to search engines and other crawlers, but still allows access to certain users. A serious design flaw allows the acces...

6.8AI score
Exploits0References4
Drupal
Drupal
added 2007/01/30 12:0 a.m.15 views

Captcha - response validation bypass

Captcha validation can be bypassed by manipulating request variables while posting or by providing certain incorrect responses. This defeats the purpose of the captcha and makes automated submission possible. Versions affected All versions of Captcha 4.7.x prior to Captcha 4.7-1.2. All versions o...

7.2AI score
Exploits0References4
Drupal
Drupal
added 2006/10/02 12:0 a.m.15 views

IMCE file handling vulnerabilities

IMCE has two vulnerabilities with regards to file handling. 1. By passing relative paths to IMCE's delete function, a malicious user with the "delete files" permission can delete files anywhere in the directory tree depending on the access permissions of the webserver. 2. IMCE allows the upload...

7.8AI score
Exploits0References3
Drupal
Drupal
added 2005/11/30 12:0 a.m.15 views

DRUPAL-SA-2005-008 XSS and HTTP header injection vulnerability with uploaded files

Paul Laudanski informed us that it's possible to attach files that are able to run Javascript under Internet Explorer. Further investigation of the problem revealed that the same method can be used to inject arbitrary HTTP headers. Versions affected Drupal 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2026/06/10 12:0 a.m.14 views

Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets. The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability...

5.5AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/10 12:0 a.m.14 views

Examples for Developers - Moderately critical - Access bypass - SA-CONTRIB-2026-044

The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality. The "Read from a file" feature implemented by the fileexample submodule can be used to expose any file that PHP can access. Therefore, the fileexample...

5.5AI score0.00142EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/10 12:0 a.m.14 views

Composer - Critical - Unsupported - SA-CONTRIB-2026-046

The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read:...

5.3AI score0.00153EPSS
Exploits0References2
Drupal
Drupal
added 2026/05/13 12:0 a.m.14 views

Colorbox Inline - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-036

This module enables you to open content already on the page within a colorbox. The module doesn't sufficiently sanitize the data-colorbox-inline attribute value before passing it to jQuery, leading to a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an...

5.4CVSS5.8AI score0.00177EPSS
Exploits0References2
Drupal
Drupal
added 2026/02/25 12:0 a.m.14 views

Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012

This module allows site builders to create so-called "themerule" config entities. These theme rules can render pages with different themes than the default when certain conditions match. The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enab...

4.3CVSS5.4AI score0.00098EPSS
Exploits0References1
Drupal
Drupal
added 2026/02/25 12:0 a.m.14 views

Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011

This module enables you to add icons to CKEditor. The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios...

5.3CVSS5.4AI score0.00223EPSS
Exploits0References1
Drupal
Drupal
added 2026/02/11 12:0 a.m.14 views

Quick Edit - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-009

This module allows content to be edited in-place. The module doesn't sufficiently sanitize certain image-related values during the editing process leading to a persistent Cross-site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

5.4CVSS5.6AI score0.00136EPSS
Exploits0References3
Drupal
Drupal
added 2025/12/10 12:0 a.m.14 views

Acquia Content Hub - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-125

This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites. The module doesn't sufficiently protect export routes from cross-site request forgery CSRF attacks, potentially allowin...

8.1CVSS5.3AI score0.0013EPSS
Exploits0References1
Drupal
Drupal
added 2025/12/03 12:0 a.m.14 views

Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120

This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages. The module doesn't sufficiently protect its confirmation routes from cross-site request forgery CSRF, allowing the logout confirmation route to be triggered without user...

8.1CVSS5.2AI score0.00135EPSS
Exploits0References2
Drupal
Drupal
added 2025/12/03 12:0 a.m.14 views

AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119

This modules provides the ability to chat with an AI Agent using a large-language model LLM provider for different purposes. The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting XSS vulnerability where an attacker can use prompt injections on user-generated...

4.4CVSS5.2AI score0.00118EPSS
Exploits0References4
Drupal
Drupal
added 2025/12/03 12:0 a.m.14 views

CKEditor 5 Premium Features - Moderately critical - Access bypass - SA-CONTRIB-2025-118

The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration. This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system. This access bypass is possible for any account with a Vie...

5.3CVSS5.6AI score0.00234EPSS
Exploits0References1
Drupal
Drupal
added 2025/03/19 12:0 a.m.14 views

Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024

This module adds a formatter for link fields that displays the current entity with another view mode inside the link. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal core has been released bu...

6.1CVSS6.6AI score0.00242EPSS
Exploits0References2
Drupal
Drupal
added 2025/02/26 12:0 a.m.14 views

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when creating tasks...

8.1CVSS7.3AI score0.00193EPSS
Exploits0References3
Drupal
Drupal
added 2025/02/26 12:0 a.m.14 views

Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019

The Cache Utility module provides an ability to view status and flush various caches. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when flushing a cache...

8.8CVSS7.2AI score0.0021EPSS
Exploits0References3
Drupal
Drupal
added 2025/01/22 12:0 a.m.14 views

AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004

The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes. The module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged. This vulnerability is...

8.2CVSS7AI score0.00352EPSS
Exploits0References9
Drupal
Drupal
added 2024/11/27 12:0 a.m.14 views

Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064

This module integrates Tarte au citron JS library with Drupal and prevent services to be loaded without user consent. Administrators can enable and configure services which will be managed by Tarte au citron. When Google Tag Manager GTM service is enabled, an attacker can load a GTM container tha...

4.8CVSS6.9AI score0.00232EPSS
Exploits0References7
Drupal
Drupal
added 2024/08/21 12:0 a.m.14 views

Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030

This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths. The module doesn't respect custom node access restrictions implemented through hookENTITYTYPEaccess hooks meaning the titles of restricted nod...

5.3CVSS7AI score0.0034EPSS
Exploits0References7
Drupal
Drupal
added 2023/08/23 12:0 a.m.14 views

Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site. The module doesn't sufficiently validate access when the JSONAPI module is also installed. This vulnerability is mitigated by the fact that it only affects sites...

6.8AI score
Exploits0References6
Drupal
Drupal
added 2023/07/26 12:0 a.m.14 views

Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032

Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2023/06/28 12:0 a.m.14 views

GridStack - Less critical - Cross Site Scripting - SA-CONTRIB-2023-024

This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI. The module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact th...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2023/06/28 12:0 a.m.14 views

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026

This module enables you to use complex autocompletion in forms. The module doesn't sufficiently filter text in the data it exposes, allowing a malicious user to enter specially crafted tags to exploit a Cross Site Scripting XSS attack. This vulnerability is mitigated by the fact that an attacker...

6AI score
Exploits0References7
Drupal
Drupal
added 2023/05/31 12:0 a.m.14 views

Consent Popup - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-017

The Consent Popup provides a configurable popup that requires acceptance of a question before the visitor can continue, typically used for age consent. The module doesn't sufficiently sanitizes the text on the block leading to a cross site scripting XSS vulnerability. This vulnerability is...

6AI score
Exploits0References6
Drupal
Drupal
added 2022/05/25 12:0 a.m.14 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043

Open Social is a Drupal distribution for online communities. Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct...

6.2AI score
Exploits0References9
Drupal
Drupal
added 2022/03/23 12:0 a.m.14 views

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported This module was...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/03/09 12:0 a.m.14 views

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

SVG Formatter module provides support for using SVG images on your website. Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images...

6AI score
Exploits0References8
Drupal
Drupal
added 2022/02/16 12:0 a.m.14 views

Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025

This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some conten...

6.4AI score
Exploits0References15
Drupal
Drupal
added 2022/02/09 12:0 a.m.14 views

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2022/02/09 12:0 a.m.14 views

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

This module enables you to manage and delete files. The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created. To mitigate this issue without...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2022/01/25 12:0 a.m.14 views

Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.14 views

Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.14 views

Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/05 12:0 a.m.14 views

Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003

This module enables you to integrate various What-You-See-Is-What-You-Get WYSIWYG rich text editors into Drupal fields with text formats allowing markup for easier editing. The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. ...

5.8AI score
Exploits0References10
Total number of security vulnerabilities1940