Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2021/01/27 12:0 a.m.14 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002

The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file. The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a...

6.2AI score
Exploits0References8
Drupal
Drupal
added 2020/11/18 12:0 a.m.14 views

Ink Filepicker - Critical - Unsupported - SA-CONTRIB-2020-037

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. It looks like the 3rd party service that this module integrates with may have been retired. If you would like to maintain this project nevertheless,...

6.7AI score
Exploits0References2
Drupal
Drupal
added 2020/05/27 12:0 a.m.14 views

Commerce Core - Moderately critical - Access bypass - SA-CONTRIB-2020-020

Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never...

6.6AI score
Exploits0References8
Drupal
Drupal
added 2020/03/04 12:0 a.m.14 views

SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005

SVG Formatter module provides support for using SVG images on your website. This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab. This vulnerability is mitigated by the fact that an attacker must be able to upload SVG fil...

6AI score
Exploits0References7
Drupal
Drupal
added 2019/11/13 12:0 a.m.14 views

Administration Views - Moderately critical - Access bypass - SA-CONTRIB-2019-076

This module replaces administrative overview/listing pages with actual views for superior usability. The module doesn't sufficiently check user access when using the "Menu system path" access handler on a Views displays other than "System". Update: This project had been unsupported due to this...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2019/10/16 12:0 a.m.14 views

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed. The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat even...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2019/10/02 12:0 a.m.14 views

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server. The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which m...

6.6AI score
Exploits0References8
Drupal
Drupal
added 2019/09/25 12:0 a.m.14 views

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

This module provides a new UI experience for node editing - Gutenberg editor. The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2019/08/14 12:0 a.m.14 views

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node. The module does not sufficiently filter configuration text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with...

5.9AI score
Exploits0References8
Drupal
Drupal
added 2019/03/20 12:0 a.m.14 views

RESTful - Critical - Remote code execution - SA-CONTRIB-2019-041

This resolves issues described in SA-CORE-2019-003 for this module...

6.7AI score
Exploits0References4
Drupal
Drupal
added 2019/03/13 12:0 a.m.14 views

Views (for Drupal 7) - Moderately critical - Information disclosure - SA-CONTRIB-2019-035

This module enables you to create customized lists of data. The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances. This vulnerability is mitigated by the fact that a view must have an...

6.2AI score
Exploits0References14
Drupal
Drupal
added 2019/02/20 12:0 a.m.14 views

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2019/02/20 12:0 a.m.14 views

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2019-018

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2018/12/05 12:0 a.m.14 views

Password Policy - Less critical - Denial of Service - SA-CONTRIB-2018-077

The Password Policy module makes it possible to set constraints on user passwords which disallow certain passwords. The "digit placement" constraint is vulnerable to Denial of Service attacks if an attacker submits specially crafted passwords which can cause a site to become unresponsive. This...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2018/09/05 12:0 a.m.14 views

Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059

This module enables you to create fields for storing decimal values as two integers numerator and denominator for maximum precision. The module doesn't sufficiently filter XSS strings out of field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the abili...

5.9AI score
Exploits0References7
Drupal
Drupal
added 2018/07/11 12:0 a.m.14 views

litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2018/06/27 12:0 a.m.14 views

Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043

This module enables you to reset passwords for all users based upon their user role. The module doesn't use a strong source of randomness, creating weak and predictable passwords. This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker,...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2018/02/14 12:0 a.m.14 views

Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability. This...

6AI score
Exploits0References6
Drupal
Drupal
added 2018/01/10 12:0 a.m.14 views

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page. This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view. Th...

6.6AI score
Exploits0References4
Drupal
Drupal
added 2017/11/08 12:0 a.m.14 views

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form. When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this...

6.6AI score
Exploits0References5
Drupal
Drupal
added 2017/08/30 12:0 a.m.14 views

H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

The H5P module helps create interactive videos, question sets, drag and drop questions, multichoice questions, boardgames, presentations, flashcards and more using Drupal. The module does not sufficiently filter text prior to printing it back to the page, leading to a Reflected Cross Site Scripti...

5.6AI score
Exploits0References13
Drupal
Drupal
added 2017/08/09 12:0 a.m.14 views

Session Cache API - Critical - Multiple vulnerabilities - DRUPAL-SA-CONTRIB-2017-065

This module does not safely deal with serialization. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Session Cache API 7.x-1.4 Drupal core is not affected. If you do not use the contributed...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2017/05/17 12:0 a.m.14 views

Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048

This theme enables you to bridge the gap between the Bootstrap Framework and Drupal. The theme does not sufficiently exclude the submitted password value when an incorrect value has been submitted Versions affected bootstrap 8.x-3.x versions prior to 8.x-3.5. Drupal core is not affected. If you d...

7.3AI score
Exploits0References11
Drupal
Drupal
added 2017/03/01 12:0 a.m.14 views

AES - Critical - Unsupported - SA-CONTRIB-2017-027

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm. The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be...

6.8AI score
Exploits0References12
Drupal
Drupal
added 2017/03/01 12:0 a.m.14 views

RestWS - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-024

RestWS makes Drupal Entity data available in a REST API. The module doesn’t sufficiently check for access to properties when filtering queries. This vulnerability is mitigated by the fact that an attacker must have a role that allows them to access an entity type with access-controlled properties...

7AI score
Exploits0References11
Drupal
Drupal
added 2017/02/08 12:0 a.m.14 views

Acquia Content Hub - Moderately Critical - Access Bypass - SA-CONTRIB-2017-013

The Acquia Content Hub module enables the distribution and discovery of content from any source using the Acquia Content Hub service. The module allows rendering of any arbitrary entity, without performing the appropriate access check. Users browsing to a well crafted URL could access information...

7AI score
Exploits0References15
Drupal
Drupal
added 2017/01/04 12:0 a.m.14 views

Permissions by Term -- Critical - Multiple vulnerabilities - SA-CONTRIB-2017-001

The Permissions by Term module extends Drupal functionality by restricting access to single nodes via taxonomy terms. Taxonomy terms are part of the Drupal core functionality. Taxonomy term permissions can be coupled to specific user accounts and/or user roles. Enabling the module unintentionally...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2016/11/02 12:0 a.m.14 views

D8 Editor File upload - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-059

This module enables you to upload files directly within the CKEditor and create a link to download the given file. The module doesn't sufficiently check the uploaded file extensions when the allowed extensions list is not the default one. This vulnerability is mitigated by the fact that an attack...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/09/07 12:0 a.m.14 views

Flag Lists - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-051

This module enables regular users to create unlimited private flags called lists. The flaglists module doesn't sufficiently filter the output when applying token strings to flaglists links leading to a persistent Cross Site Scripting XSS attack. This vulnerability is mitigated by the fact that an...

6.2AI score
Exploits0References12
Drupal
Drupal
added 2016/08/10 12:0 a.m.14 views

OAuth2 Client- Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2016-044

This module provides an OAuth2 client. The module does not check the validity of the state parameter, during server-side flow, before getting a token. This may allow a malicious user to feed a fake accesstoken to another user, and subsequently provide him fake data from the server. This page...

7AI score
Exploits0References13
Drupal
Drupal
added 2016/06/08 12:0 a.m.14 views

Page Manager Search - Moderately Critical - Information disclosure - SA-CONTRIB-2016-032

This module enables you to make Panels pages and other pages managed by CTools' Page Manager submodule indexible and searchable through the standard Search module provided in Drupal core. The module doesn't block access to Page Manager pages which have been disabled. CVE identifiers issued ACVE...

7.2AI score
Exploits0References12
Drupal
Drupal
added 2016/06/08 12:0 a.m.14 views

REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033

This module enables you to expose content, users and comments via a JSON API. The module contains multiple vulnerabilities including Node access bypass Comment access bypass User enumeration Field access bypass User registration bypass Blocked user login Session name guessing Session enumeration...

7.3AI score
Exploits0References10
Drupal
Drupal
added 2016/04/13 12:0 a.m.14 views

Features - Less Critical - Denial of Service (DoS) - SA-CONTRIB-2016-020

This module enables you to organize and export configuration data. The module doesn't sufficiently protect the admin/structure/features/cleanup path with a token. If an attacker can trick an admin with the "manage features" permission to request a special URL, it could lead to clearing the cache...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/03/02 12:0 a.m.14 views

Fieldable Panels Panes - Moderately Critical - Access Bypass - SA-CONTRIB-2016-014

This module enables you to create fieldable entities that have special integration with Panels. The module doesn't check access permissions on a file when it is attached to a field on a Fieldable Panels Panes entity that has been made private and where the file field is set to store files using t...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2016/02/10 12:0 a.m.14 views

Embedded Media Field - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2016-004

This module enables you to to display video, image, and audio files from various third party providers The module doesn't sufficiently sanitize path arguments under certain scenarios. This vulnerability is mitigated by the fact that an attacker must be able to trick an administrator into visiting...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2016/02/10 12:0 a.m.14 views

CAS - Moderately Critical - Information Disclosure - DRUPAL-SA-CONTRIB-2016-005

This module enables you to use your Drupal site as a client or server for the single sign on protocol CAS. This vulnerability only affects sites that use the "CAS Server" sub module. The module doesn't allow an administrator to restrict which CAS clients are allowed authenticate with the Drupal C...

6.7AI score
Exploits0References14
Drupal
Drupal
added 2015/11/04 12:0 a.m.14 views

Monster Menus - Access Bypass - Moderately Critical - SA-CONTRIB-2015-163

Monster Menus is a hierarchical menu tree, which provides highly scalable, granular permissions for all pages within a site. The module includes an option to remove nodes from view add them to a "recycle bin" rather than deleting them outright. When a node has been put into a bin using an affecte...

5CVSS6.2AI score0.01196EPSS
Exploits0References9
Drupal
Drupal
added 2015/08/05 12:0 a.m.14 views

Quick Edit - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-137

This module enables you to in-place edit entities' fields. The module doesn't sufficiently filter entity titles under the scenario where the user starts in-place editing an entity. The module also doesn't sufficiently filter node titles under the scenario where a node is displayed albeit only on...

3.5CVSS6.3AI score0.00774EPSS
Exploits0References11
Drupal
Drupal
added 2015/07/08 12:0 a.m.14 views

Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132

Administration Views module replaces overview/listing pages with actual views for superior usability. The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to. CVE identifiers issued CVE-2015-7226...

5CVSS6AI score0.02087EPSS
Exploits0References11
Drupal
Drupal
added 2015/06/03 12:0 a.m.14 views

Novalnet Payment Module Ubercart - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-116

This module enables you add the Novalnet payment service provider to Ubercart. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploi...

7.5CVSS7.3AI score0.0196EPSS
Exploits0References8
Drupal
Drupal
added 2015/05/06 12:0 a.m.14 views

Entityform Block - Moderately Critical - Access Bypass - SA-CONTRIB-2015-106

This module enables you to display an entityform as a block. The module doesn't sufficiently check permissions on the entityform under scenarios where the form is locked to a certain role. CVE identifiers issued CVE-2015-5493 Versions affected Entityform Block 7.x-1.x versions prior to 7.x-1.3...

5CVSS6.4AI score0.01381EPSS
Exploits0References12
Drupal
Drupal
added 2015/04/22 12:0 a.m.14 views

Keyword Research - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-098

Keyword Research module enables you to tag and prioritize keywords on a site and node level basis. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user with "kwresearch admin site keywords" permission to create, delete and set priorities to...

5.1CVSS6.2AI score0.00646EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/25 12:0 a.m.14 views

Decisions - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-086

Decisions module is a replacement for the Poll module and provides advanced voting systems and decision-making tools. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to remove individual voters by getting their browser to make a request to ...

6.8CVSS6.4AI score0.00649EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/04 12:0 a.m.14 views

SA-CONTRIB-2015-034 - Commerce WeDeal - Open Redirect

Commerce WeDeal module enables you to do Commerce payments through the payment provider WeDeal. The module doesn't sufficiently check a query parameter used for page redirection, thereby leading to an Open Redirect vulnerability. CVE identifiers issued CVE-2015-3393 Versions affected Commerce...

5.8CVSS6.4AI score0.01204EPSS
Exploits0References9
Drupal
Drupal
added 2014/12/10 12:0 a.m.14 views

SA-CONTRIB-2014-119 - Google Analytics - Information disclosure

This module enables you to integrate Drupal with Google Analytics. The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on. This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account ...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2014/11/12 12:0 a.m.14 views

SA-CONTRIB-2014-109 - Freelinking - Cross Site Scripting (XSS)

The Freelinking module implements a filter framework for easier creation of HTML links to other pages on the site or to external sites. The module does not sanitize the node title when providing a link to the node, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated ...

6.1AI score
Exploits0References9
Drupal
Drupal
added 2014/10/29 12:0 a.m.14 views

SA-CONTRIB-2014-106 - Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass

This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway's SIM and DPM payment protocols. Access Bypass The module doesn't sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2014/10/22 12:0 a.m.14 views

SA-CONTRIB-2014-101 - Ubercart - Cross Site Request Forgery

The Ubercart module provides a shopping cart and e-commerce features for Drupal. Cross Site Request Forgery CSRF The country administration links are not properly protected. A malicious user could trick a store administrator into enabling or disabling a country by getting them to visit a...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2014/10/15 12:0 a.m.14 views

SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)

The CKEditor module and its predecessor, FCKeditor module allows Drupal to replace textarea fields with CKEditor 3.x/4.x FCKeditor 2.x in case of FCKeditor module - a visual HTML editor, sometimes called WYSIWYG editor. Both modules define a function, called via an ajax request, that filters text...

5.7AI score
Exploits0References12
Drupal
Drupal
added 2014/04/23 12:0 a.m.14 views

SA-CONTRIB-2014-045 - Drupal Commons - Multiple Vulnerabilities

This SA contains two patches against Drupal Commons Views Bulk Operations Access Bypass Drupal commons comes with a view to moderate reported content, which is intended for authenticated users to view which content has been reported. Since it has hard coded VBO operations within the view, and...

6.8AI score
Exploits0References15
Total number of security vulnerabilities1940