SA-2008-057 - Ajax Checklist - Multiple vulnerabilities

The Ajax Checklist module implements a filter that allows a user to include checkboxes into content. The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with the "update ajax checklists"...

SA-2008-045 - OpenID - Multiple vulnerabilities

The OpenID module for Drupal 5.x allows uses to create an account or log into a Drupal site using one or more OpenID identities. Find out more about OpenID at http://openid.net. Two vulnerabilities and weaknesses were discovered in the contributed OpenID module. Cross site scripting Some...

SA-2008-037 - TrailScout - XSS and SQL injection

The TrailScout module displays a number of last visited pages as breadcrumbs. The module displays certain values without appropriate filtering. Malicious users with the permission to create posts are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross sit...

SA-2008-035 - Aggregation - Multiple vulnerabilities

The Aggregation module syndicates content from external feeds saving them as nodes. A significant amount of vulnerabilities were discovered in the module: Cross site scripting - Numerous values are displayed without being properly escaped or filtered, which enables users to inject arbitrary HTML...

SA-2008-024 - Webform - Cross site scripting

The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems. On several points in the codebase, user-supplied data is not escaped before it is...

SA-2008-021 - Live - Cross site request forgery

The contributed module Live provides previews of content items while typing them. Live is vulnerable to a cross site request forgery which may lead to execution of PHP code when an authenticated, privileged user visits a malicious site. Versions affected Live for Drupal 5.x before Live 5.x-0.1...

SA-2008-002 - Atom - Access bypass

The Atom module provides a list of node titles, and teasers or bodies as part of a syndication feed. In certain conditions, the titles, teasers, and body were not respecting access permissions, potentially exposing content to syndication not available otherwise. Versions affected Atom for Drupal...

SA-2007-022 - Boost - file overwrite

The Boost module provides a static file-based cache of Drupal pages for anonymous users. A vulnerability allows an attacker to create or overwrite any filename in any directory that the web server can write to. The affected file will always contain the fully rendered HTML for a single Drupal page...

Project and Project issue tracking XSS

Several fields are not passed through checkplain on display. A malicious user could use these fields to insert and execute XSS Cross Site Scripting. This may lead to administrator access if certain conditions are met. Additionally, certain error messages are generated that include potentially...

Chatroom - Security bypass

The contributed module Chatroom broadcasts session ids of chatroom visitors to all participants in a room. Using those IDs, an attacker is able to hijack the session of those participants and gain their privileges on the site. Additionally, messages supposed to be private are displayed in the las...

CVS management/tracker XSS

The motivation field of the CVS application page is not passed through checkmarkup on display. A malicious user may use this field to insert and execute XSS Cross Site Scripting. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Revoking the...

Form_mail module allows arbitrary header injection

Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to sites being used to send unwanted email. Versions affected formmail versions prior to revision 1.8.2.2 on 27.6.2006 Drupal cor...

DRUPAL-SA-2006-008 XSS Vulnerability in taxonomy module

It is possible for a malicious user to insert and execute XSS into terms, due to lack of validation on output of the page title. The fix wraps the display of terms in checkplain. Versions affected - Drupal 4.6.x versions before Drupal 4.6.8. - Drupal 4.7.x versions before Drupal 4.7.2. Solution...

Translate Drupal with GTranslate - Less critical - DOM clobbering / link manipulation - SA-CONTRIB-2026-035

The GTranslate module provides a language switcher widget for Drupal sites. The module’s widget JavaScript did not sufficiently validate that document.currentScript referred to the executing script element. A user who can add HTML to a page could cause the generated language-switcher links to poi...

OpenID Connect / OAuth client - Moderately critical - Access bypass - SA-CONTRIB-2026-026

This module enables you to use an external OpenID Connect login provider to authenticate and log in users on your site. If a user signs in with a login provider for the first time on the website, a new Drupal user will be created. A visitor who successfully logs in to their Identity Provider and ...

AJAX Dashboard - Critical - Access bypass - SA-CONTRIB-2026-022

AJAX Dashboard: Entity Dashboards enables you to create configurable dashboards attached to entities which include AJAX-reloading of a main content area based on inputs from a configurable set of buttons. The module doesn't sufficiently check access on the dashboard configuration route...

Drupal Canvas - Moderately critical - Server-side request forgery, Information disclosure - SA-CONTRIB-2026-017

This module enables you to easily theme and build an entire website using only their browser, without the need to write code beyond basic JSX and CSS. Content creators are able to compose content on any part of the page without relying on developers. The project has a hidden sub-module, Drupal...

Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012

This module allows site builders to create so-called "themerule" config entities. These theme rules can render pages with different themes than the default when certain conditions match. The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enab...

Login Time Restriction - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2025-120

This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages. The module doesn't sufficiently protect its confirmation routes from cross-site request forgery CSRF, allowing the logout confirmation route to be triggered without user...

Entity Share - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-123

This module enables you to deploy content from one Drupal website to another. The module provides some default configuration without sufficient access control. This vulnerability is mitigated by the fact that an administrator can add some default access control permission...

Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116

This module provides the ability to convert any entity form into a simple multi-step form. The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their...

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when creating tasks...

SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016

This module enables your site to obfuscate Email addresses and prevent spambots to collect them. The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting XSS...

Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030

This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths. The module doesn't respect custom node access restrictions implemented through hookENTITYTYPEaccess hooks meaning the titles of restricted nod...

Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009

This module provides a new UI experience for node editing - Gutenberg editor. This vulnerability can cause DoS by using reusable blocks improperly. This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it...

Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Open Social - Critical - Authentication Bypass - SA-CONTRIB-2021-011

Open Social is a Drupal distribution for online communities. The included socialmagiclogin module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account. This vulnerability ...

Bugsnag - Critical - Unsupported - SA-CONTRIB-2019-081

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070

The Ubercart module provides a shopping cart and e-commerce features for Drupal. The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a rol...

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

This module provides a new UI experience for node editing - Gutenberg editor. The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify...

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

Views - Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...

ajax_facets - Unsupported - SA-CONTRIB-2017-061

Updates The maintainer has resolved this issue, please read the release notes for more information. This module allows you to create facet filters which working by AJAX. Filters and search results will be updated by AJAX. The security team is marking this module unsupported. There is a known...

DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047

The Drupal Remote Dashboard DRD module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites. The module doesn't sufficiently protect the URL used to configure itself from CSRF attacks,...

Office Hours - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-032

This module enables you to show the office hours of a location to the public. The module doesn't sufficiently filter user input for malicious Cross Site Scripting xss. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to add fields to an entity. CVE...

Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042

This module enables you to add integration with Google Analytics statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is...

Page Manager Search - Moderately Critical - Information disclosure - SA-CONTRIB-2016-032

This module enables you to make Panels pages and other pages managed by CTools' Page Manager submodule indexible and searchable through the standard Search module provided in Drupal core. The module doesn't block access to Page Manager pages which have been disabled. CVE identifiers issued ACVE...

Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025

This module enables you to create fieldable entities that have special integration with Panels. The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor IPE, allowing for specially crafted XSS attack...

Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015

When a PDF is uploaded in Scald File, various tools can be executed if they're installed on the server, to try to generate a thumbnail out of that PDF. This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creati...

Open Atrium - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-174

Open Atrium distribution enables you to create an intranet. Open Atrium Core module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability XSS. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordanc...

Linear Case - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-084

Linear Case module allows you to organize Closed Question documents in case studies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...

SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS)

Ubercart Webform Integration module integrates Webform and Ubercart modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

SA-CONTRIB-2014-118 - Administer Users by Role - Access Bypass - Unsupported

This module enables site builders to set up fine-grained permissions for allowing users to edit and delete other users. The module doesn't sufficiently validate access permissions, enabling users who supposedly have limited permissions to grant themselves more permissions. This vulnerability is...

SA-CONTRIB-2014-119 - Google Analytics - Information disclosure

This module enables you to integrate Drupal with Google Analytics. The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on. This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account ...

SA-CONTRIB-2014-103 - Passwordless - Cross Site Scripting (XSS)

This module replaces the regular Drupal login form with a modification of the password-request form, to give the possibility to log in without using a password. The module doesn't sufficiently sanitize user-generated text entered in the module's configuration form. This vulnerability is mitigated...

SA-CONTRIB-2014-097 - nodeaccess - Access Bypass

Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. This module enables you to inadvertently allow an author of a node view/edit/delete the node in question who may not have access. The module over-eagerly grants read/write/delete access to all autho...

SA-CONTRIB-2014-079 - RedHen CRM - Cross Site Scripting (XSS)

The RedHen CRM project contains the redhendedup module which enables you to find duplicate contacts in the CRM. The redhendedup module doesn't sufficiently filter administrator-entered text when deduping contacts as which creates a Cross Site Scripting XSS vulnerability. The vulnerability is...

SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords. Access bypass and information disclosure 7.x only The module has a history constraint, which when enabled, disallows a user's password from being changed to match a...

SA-CONTRIB-2014-024 - Content Lock - CSRF

This module prevents people from editing the same content at the same time. It adds a locking layer to nodes. It does not protect from CSRF. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All...