1940 matches found
SA-2008-037 - TrailScout - XSS and SQL injection
The TrailScout module displays a number of last visited pages as breadcrumbs. The module displays certain values without appropriate filtering. Malicious users with the permission to create posts are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross sit...
SA-2008-038 - Services - Arbitrary code execution
The Services module package was created out of a need for a standardized solution to integrate external applications with Drupal. It builds on concepts from Drupal core's XMLRPC interface, but abstracts service callbacks so that they may be used with multiple interfaces such as XMLRPC, SOAP, REST...
SA-2008-035 - Aggregation - Multiple vulnerabilities
The Aggregation module syndicates content from external feeds saving them as nodes. A significant amount of vulnerabilities were discovered in the module: Cross site scripting - Numerous values are displayed without being properly escaped or filtered, which enables users to inject arbitrary HTML...
SA-2008-024 - Webform - Cross site scripting
The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems. On several points in the codebase, user-supplied data is not escaped before it is...
SA-2008-002 - Atom - Access bypass
The Atom module provides a list of node titles, and teasers or bodies as part of a syndication feed. In certain conditions, the titles, teasers, and body were not respecting access permissions, potentially exposing content to syndication not available otherwise. Versions affected Atom for Drupal...
SA-2007-022 - Boost - file overwrite
The Boost module provides a static file-based cache of Drupal pages for anonymous users. A vulnerability allows an attacker to create or overwrite any filename in any directory that the web server can write to. The affected file will always contain the fully rendered HTML for a single Drupal page...
Multiple vulnerabilities in Database Administration (dba) module
The Database Administration dba module allows site administrators with sufficient privileges to view and directly modify the Drupal database tables for a site. Numerous cross-site scripting XSS vulnerabilities were discovered when the administrator runs queries to display data from the database,...
Nodefamily - Access bypass
Nodefamily is needed for building user profiles with the nodeprofile module. By manipulating URL arguments, authenticated users are able to access and modify the profile of other users. Versions affected Nodefamily for Drupal 5.x before 5.x-1.0 Nodefamily for 4.7.x is not affected. Drupal core is...
Textimage - response validation bypass
Captcha validation by Textimage can be bypassed by manipulating request variables while posting. This defeats the purpose of the captcha and makes automated submission possible. Versions affected All versions of Textimage 4.7.x prior to Textimage 4.7-1.2. All versions of Textimage 5.x prior to...
CVS management/tracker XSS
The motivation field of the CVS application page is not passed through checkmarkup on display. A malicious user may use this field to insert and execute XSS Cross Site Scripting. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Revoking the...
Site Profile Directory cross site scripting vulnerability
It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Drupal core is not affected. If you do not use the Sit...
Userreview cross site scripting vulnerability
It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Drupal core is not affected. If you do not use the...
Form_mail module allows arbitrary header injection
Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to sites being used to send unwanted email. Versions affected formmail versions prior to revision 1.8.2.2 on 27.6.2006 Drupal cor...
SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018
This module enables you to perform SAML protocol-based single sign-on SSO on a Drupal site. The module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting XSS vulnerability...
Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008
The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. default: http://example.com/user/login?admin If they provide the access key and have a specific role they can log in. The module does not check for...
Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
This module enables allows group managers to invite people into their group. The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content. This vulnerability is mitigated by the fact that it only occurs when certain uncommon...
HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126
Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action ECA...
Next.js - Critical - Access bypass - SA-CONTRIB-2025-122
This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...
Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116
This module provides the ability to convert any entity form into a simple multi-step form. The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114
This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...
CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113
CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with...
CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112
CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manu...
Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111
This module allows you to specify an HTTP header name to determine the client's IP address. The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings'reverseproxy' is set to TRUE and $settings'reverseproxyaddresses' is configured. This vulnerability...
Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082
The module enables you to add second-factor authentication on top of the default Drupal login. The module does not sufficiently ensure that known authorization routes are protected. This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password...
Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041
Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page. The Colorbox module doesn't sufficiently sanitize data attributes before opening modals. This vulnerability is mitigated by the fact that an attacker must have a role with...
Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015
Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events. Invites for a specific user can be seen under certain conditions. The issue is mitigated for events by the fact that socialeventmaxenroll has to be enabled...
Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004
Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues...
Opigno TinCan Question Type - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-031
The Opigno TinCan Question Type module is related to Opigno LMS distribution. The module adds a new question type for the Quiz module. With this new question type, you will be able to import TinCan Packages to your Drupal instance and to use it as a question. Uploaded files were not sufficiently...
The Better Mega Menu - Critical - Cross Site Request Forgery - SA-CONTRIB-2021-040
This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not use CSRF tokens to protect routes for saving menu configurations. This vulnerability can be exploited by an anonymous user...
Group - Critical - Information Disclosure - SA-CONTRIB-2020-030
This module enables you to hand out permissions on a smaller subset, section or community of your website. The module used to leverage the node grants system but turned it off in its recent 8.x-1.0 release in favor of a system that works for ALL entity types, not just nodes. By doing so, some...
Internationalization - Moderately critical - Cross site scripting - SA-CONTRIB-2020-025
The Internationalization i18n module is a collection of modules to extend Drupal core multilingual capabilities and allows to build real life multilingual sites. A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting XSS vulnerability. This...
Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014
This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript cod...
Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070
The Ubercart module provides a shopping cart and e-commerce features for Drupal. The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a rol...
TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067
This module allows you to attach tabular data to an entity. There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities. This vulnerability is mitigated by the fact that an...
Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060
This module provides an autocomplete widget for text fields that suggests all existing previously entered values for that field. The module doesn't sufficiently check for proper access permission before returning autocomplete results. This vulnerability is mitigated by the fact that an attacker...
Translation Management Tool - Critical - Remote Code Execution - SA-CONTRIB-2019-024
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Salesforce Suite - Moderately critical - Access bypass - SA-CONTRIB-2018-078
This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure. This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce...
Entity Reference Tab / Accordion Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-008
This module enables you to show referenced entities in tabs. The module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs. This vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content o...
Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081
This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out. The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting...
Page Access - Unsupported - SA-CONTRIB-2017-75
This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...
Views - Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068
When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...
ajax_facets - Unsupported - SA-CONTRIB-2017-061
Updates The maintainer has resolved this issue, please read the release notes for more information. This module allows you to create facet filters which working by AJAX. Filters and search results will be updated by AJAX. The security team is marking this module unsupported. There is a known...
Scheduler Workbench Integration - Critical - Unsupported - SA-CONTRIB-2017-39
Updates 20170414 - A new module maintainer has been found and a new release for this module has been published. Provides integration between the Scheduler module and the Workbench Moderation module. The security team is marking this module unsupported. There is a known security issue with the...
Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022
The Views module allows site builders to create listings of various data in the Drupal database. The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it. This is...
OSF for Drupal - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-014
This module enables administrators to use a user interface to create complex semantic queries that can be saved to be used in different locations of a Drupal instance that uses OSF. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Securi...
Views Send - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-061
The Views Send module enables you to send mail to multiple users from a View. The module doesn't sufficiently filter potential user-supplied data when previewing the e-mail which can lead to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker mus...
Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042
This module enables you to add integration with Google Analytics statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is...
Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041
Administration Views module replaces overview/listing pages with actual views for superior usability. The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to. CVE identifiers issued ACVE identifier...
Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028
This module enables you to allow users to enter a special registration code in order to sign up for the site. The module doesn't sufficiently validate the entered registration code CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Securit...