Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2008/06/18 12:0 a.m.14 views

SA-2008-037 - TrailScout - XSS and SQL injection

The TrailScout module displays a number of last visited pages as breadcrumbs. The module displays certain values without appropriate filtering. Malicious users with the permission to create posts are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cross sit...

7.7AI score
Exploits0References6
Drupal
Drupal
added 2008/06/18 12:0 a.m.14 views

SA-2008-038 - Services - Arbitrary code execution

The Services module package was created out of a need for a standardized solution to integrate external applications with Drupal. It builds on concepts from Drupal core's XMLRPC interface, but abstracts service callbacks so that they may be used with multiple interfaces such as XMLRPC, SOAP, REST...

8AI score
Exploits0References7
Drupal
Drupal
added 2008/06/11 12:0 a.m.14 views

SA-2008-035 - Aggregation - Multiple vulnerabilities

The Aggregation module syndicates content from external feeds saving them as nodes. A significant amount of vulnerabilities were discovered in the module: Cross site scripting - Numerous values are displayed without being properly escaped or filtered, which enables users to inject arbitrary HTML...

8.2AI score
Exploits0References6
Drupal
Drupal
added 2008/04/03 12:0 a.m.14 views

SA-2008-024 - Webform - Cross site scripting

The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems. On several points in the codebase, user-supplied data is not escaped before it is...

6.2AI score
Exploits0References7
Drupal
Drupal
added 2008/01/10 12:0 a.m.14 views

SA-2008-002 - Atom - Access bypass

The Atom module provides a list of node titles, and teasers or bodies as part of a syndication feed. In certain conditions, the titles, teasers, and body were not respecting access permissions, potentially exposing content to syndication not available otherwise. Versions affected Atom for Drupal...

7AI score
Exploits0References5
Drupal
Drupal
added 2007/10/03 12:0 a.m.14 views

SA-2007-022 - Boost - file overwrite

The Boost module provides a static file-based cache of Drupal pages for anonymous users. A vulnerability allows an attacker to create or overwrite any filename in any directory that the web server can write to. The affected file will always contain the fully rendered HTML for a single Drupal page...

6.8AI score
Exploits0References2
Drupal
Drupal
added 2007/04/11 12:0 a.m.14 views

Multiple vulnerabilities in Database Administration (dba) module

The Database Administration dba module allows site administrators with sufficient privileges to view and directly modify the Drupal database tables for a site. Numerous cross-site scripting XSS vulnerabilities were discovered when the administrator runs queries to display data from the database,...

6.2AI score
Exploits0References4
Drupal
Drupal
added 2007/03/06 12:0 a.m.14 views

Nodefamily - Access bypass

Nodefamily is needed for building user profiles with the nodeprofile module. By manipulating URL arguments, authenticated users are able to access and modify the profile of other users. Versions affected Nodefamily for Drupal 5.x before 5.x-1.0 Nodefamily for 4.7.x is not affected. Drupal core is...

7AI score
Exploits0References3
Drupal
Drupal
added 2007/01/31 12:0 a.m.14 views

Textimage - response validation bypass

Captcha validation by Textimage can be bypassed by manipulating request variables while posting. This defeats the purpose of the captcha and makes automated submission possible. Versions affected All versions of Textimage 4.7.x prior to Textimage 4.7-1.2. All versions of Textimage 5.x prior to...

7.1AI score
Exploits0References4
Drupal
Drupal
added 2006/12/05 12:0 a.m.14 views

CVS management/tracker XSS

The motivation field of the CVS application page is not passed through checkmarkup on display. A malicious user may use this field to insert and execute XSS Cross Site Scripting. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Revoking the...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2006/09/20 12:0 a.m.14 views

Site Profile Directory cross site scripting vulnerability

It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Drupal core is not affected. If you do not use the Sit...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2006/09/13 12:0 a.m.14 views

Userreview cross site scripting vulnerability

It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Drupal core is not affected. If you do not use the...

6.3AI score
Exploits0References4
Drupal
Drupal
added 2006/07/04 12:0 a.m.14 views

Form_mail module allows arbitrary header injection

Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to sites being used to send unwanted email. Versions affected formmail versions prior to revision 1.8.2.2 on 27.6.2006 Drupal cor...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2026/02/25 12:0 a.m.13 views

SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018

This module enables you to perform SAML protocol-based single sign-on SSO on a Drupal site. The module doesn't sufficiently sanitize user input, leading to a reflected Cross-site scripting XSS vulnerability...

6.1CVSS5.2AI score0.00193EPSS
Exploits0References1
Drupal
Drupal
added 2026/02/04 12:0 a.m.13 views

Login Disable - Less critical - Access bypass - SA-CONTRIB-2026-008

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page. default: http://example.com/user/login?admin If they provide the access key and have a specific role they can log in. The module does not check for...

4.3CVSS5.5AI score0.00202EPSS
Exploits0References3
Drupal
Drupal
added 2026/01/14 12:0 a.m.13 views

Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001

This module enables allows group managers to invite people into their group. The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content. This vulnerability is mitigated by the fact that it only occurs when certain uncommon...

5.3CVSS5.5AI score0.00197EPSS
Exploits0References4
Drupal
Drupal
added 2025/12/17 12:0 a.m.13 views

HTTP Client Manager - Less critical - Information disclosure - SA-CONTRIB-2025-126

Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action ECA...

7.5CVSS5.5AI score0.00263EPSS
Exploits0References4
Drupal
Drupal
added 2025/12/03 12:0 a.m.13 views

Next.js - Critical - Access bypass - SA-CONTRIB-2025-122

This module enables integration between Next.js and Drupal for headless CMS functionality. When installed, the module automatically enables cross-origin resource sharing CORS with insecure default settings Access-Control-Allow-Origin: , overriding any services.yml CORS configuration. This allows...

6.1CVSS5.4AI score0.00141EPSS
Exploits0References3
Drupal
Drupal
added 2025/11/05 12:0 a.m.13 views

Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116

This module provides the ability to convert any entity form into a simple multi-step form. The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

3.5CVSS5.3AI score0.00151EPSS
Exploits0References2
Drupal
Drupal
added 2025/10/29 12:0 a.m.13 views

Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...

7.5CVSS5.7AI score0.00343EPSS
Exploits0References2
Drupal
Drupal
added 2025/10/22 12:0 a.m.13 views

CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with...

6.1CVSS5.5AI score0.00184EPSS
Exploits0References2
Drupal
Drupal
added 2025/10/22 12:0 a.m.13 views

CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manu...

7.5CVSS5.5AI score0.0028EPSS
Exploits0References2
Drupal
Drupal
added 2025/09/24 12:0 a.m.13 views

Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111

This module allows you to specify an HTTP header name to determine the client's IP address. The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings'reverseproxy' is set to TRUE and $settings'reverseproxyaddresses' is configured. This vulnerability...

5.3CVSS5.6AI score0.00276EPSS
Exploits0References2
Drupal
Drupal
added 2025/08/27 12:0 a.m.13 views

Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.3CVSS5.4AI score0.00234EPSS
Exploits0References2
Drupal
Drupal
added 2025/06/25 12:0 a.m.13 views

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082

The module enables you to add second-factor authentication on top of the default Drupal login. The module does not sufficiently ensure that known authorization routes are protected. This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password...

4.8CVSS5.6AI score0.00204EPSS
Exploits0References3
Drupal
Drupal
added 2025/04/23 12:0 a.m.13 views

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page. The Colorbox module doesn't sufficiently sanitize data attributes before opening modals. This vulnerability is mitigated by the fact that an attacker must have a role with...

6.1CVSS5.6AI score0.00214EPSS
Exploits0References2
Drupal
Drupal
added 2025/02/12 12:0 a.m.13 views

Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015

Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events. Invites for a specific user can be seen under certain conditions. The issue is mitigated for events by the fact that socialeventmaxenroll has to be enabled...

8.1CVSS7AI score0.00382EPSS
Exploits0References3
Drupal
Drupal
added 2024/11/20 12:0 a.m.13 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004

Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues...

8.1CVSS6.5AI score0.00408EPSS
Exploits0References14
Drupal
Drupal
added 2024/08/21 12:0 a.m.13 views

Opigno TinCan Question Type - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-031

The Opigno TinCan Question Type module is related to Opigno LMS distribution. The module adds a new question type for the Quiz module. With this new question type, you will be able to import TinCan Packages to your Drupal instance and to use it as a question. Uploaded files were not sufficiently...

7.5CVSS7.4AI score0.00547EPSS
Exploits0References9
Drupal
Drupal
added 2021/09/22 12:0 a.m.13 views

The Better Mega Menu - Critical - Cross Site Request Forgery - SA-CONTRIB-2021-040

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not use CSRF tokens to protect routes for saving menu configurations. This vulnerability can be exploited by an anonymous user...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2020/07/29 12:0 a.m.13 views

Group - Critical - Information Disclosure - SA-CONTRIB-2020-030

This module enables you to hand out permissions on a smaller subset, section or community of your website. The module used to leverage the node grants system but turned it off in its recent 8.x-1.0 release in favor of a system that works for ALL entity types, not just nodes. By doing so, some...

6.3AI score
Exploits0References4Affected Software1
Drupal
Drupal
added 2020/06/17 12:0 a.m.13 views

Internationalization - Moderately critical - Cross site scripting - SA-CONTRIB-2020-025

The Internationalization i18n module is a collection of modules to extend Drupal core multilingual capabilities and allows to build real life multilingual sites. A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting XSS vulnerability. This...

5.9AI score
Exploits0References6
Drupal
Drupal
added 2020/05/06 12:0 a.m.13 views

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript cod...

6.6AI score
Exploits0References8
Drupal
Drupal
added 2019/10/02 12:0 a.m.13 views

Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070

The Ubercart module provides a shopping cart and e-commerce features for Drupal. The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a rol...

5.9AI score
Exploits0References6
Drupal
Drupal
added 2019/09/18 12:0 a.m.13 views

TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067

This module allows you to attach tabular data to an entity. There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities. This vulnerability is mitigated by the fact that an...

6.4AI score
Exploits0References9
Drupal
Drupal
added 2019/07/24 12:0 a.m.13 views

Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060

This module provides an autocomplete widget for text fields that suggests all existing previously entered values for that field. The module doesn't sufficiently check for proper access permission before returning autocomplete results. This vulnerability is mitigated by the fact that an attacker...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2019/02/20 12:0 a.m.13 views

Translation Management Tool - Critical - Remote Code Execution - SA-CONTRIB-2019-024

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2018/12/05 12:0 a.m.13 views

Salesforce Suite - Moderately critical - Access bypass - SA-CONTRIB-2018-078

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure. This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce...

6.1AI score
Exploits0References6
Drupal
Drupal
added 2018/02/07 12:0 a.m.13 views

Entity Reference Tab / Accordion Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-008

This module enables you to show referenced entities in tabs. The module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs. This vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content o...

6.4AI score
Exploits0References4
Drupal
Drupal
added 2017/11/01 12:0 a.m.13 views

Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out. The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting...

6AI score
Exploits0References5
Drupal
Drupal
added 2017/09/20 12:0 a.m.13 views

Page Access - Unsupported - SA-CONTRIB-2017-75

This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2017/08/16 12:0 a.m.13 views

Views - Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...

7AI score
Exploits0References16
Drupal
Drupal
added 2017/08/02 12:0 a.m.13 views

ajax_facets - Unsupported - SA-CONTRIB-2017-061

Updates The maintainer has resolved this issue, please read the release notes for more information. This module allows you to create facet filters which working by AJAX. Filters and search results will be updated by AJAX. The security team is marking this module unsupported. There is a known...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2017/04/12 12:0 a.m.13 views

Scheduler Workbench Integration - Critical - Unsupported - SA-CONTRIB-2017-39

Updates 20170414 - A new module maintainer has been found and a new release for this module has been published. Provides integration between the Scheduler module and the Workbench Moderation module. The security team is marking this module unsupported. There is a known security issue with the...

7.1AI score
Exploits0References8
Drupal
Drupal
added 2017/02/22 12:0 a.m.13 views

Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022

The Views module allows site builders to create listings of various data in the Drupal database. The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it. This is...

6.6AI score
Exploits0References12
Drupal
Drupal
added 2017/02/08 12:0 a.m.13 views

OSF for Drupal - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-014

This module enables administrators to use a user interface to create complex semantic queries that can be saved to be used in different locations of a Drupal instance that uses OSF. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Securi...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/11/09 12:0 a.m.13 views

Views Send - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-061

The Views Send module enables you to send mail to multiple users from a View. The module doesn't sufficiently filter potential user-supplied data when previewing the e-mail which can lead to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker mus...

6.2AI score
Exploits0References11
Drupal
Drupal
added 2016/08/10 12:0 a.m.13 views

Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042

This module enables you to add integration with Google Analytics statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is...

7AI score
Exploits0References13
Drupal
Drupal
added 2016/08/03 12:0 a.m.13 views

Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041

Administration Views module replaces overview/listing pages with actual views for superior usability. The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to. CVE identifiers issued ACVE identifier...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2016/05/18 12:0 a.m.13 views

Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028

This module enables you to allow users to enter a special registration code in order to sign up for the site. The module doesn't sufficiently validate the entered registration code CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Securit...

7.2AI score
Exploits0References12
Total number of security vulnerabilities1940