Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2014/05/14 12:0 a.m.13 views

SA-CONTRIB-2014-053 - Field API Tab Editor (FATE) - Access bypass

This module allows each entity field to be individually edited via its own custom page, accessible via a tab on the entity's page. The module returns an incorrect value to hookmenu if the current user does not have access to edit the entity. This allows users who would not normally have access to...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2014/05/07 12:0 a.m.13 views

SA-CONTRIB-2014-049 - Organic Groups (OG) - Access Bypass

Organic groups OG enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. OG doesn't sufficiently check the permissions when a group member is pending or blocked status within the gro...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2014/04/23 12:0 a.m.13 views

SA-CONTRIB-2014-045 - Drupal Commons - Multiple Vulnerabilities

This SA contains two patches against Drupal Commons Views Bulk Operations Access Bypass Drupal commons comes with a view to moderate reported content, which is intended for authenticated users to view which content has been reported. Since it has hard coded VBO operations within the view, and...

6.8AI score
Exploits0References15
Drupal
Drupal
added 2014/02/26 12:0 a.m.13 views

SA-CONTRIB-2014-024 - Content Lock - CSRF

This module prevents people from editing the same content at the same time. It adds a locking layer to nodes. It does not protect from CSRF. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All...

7AI score
Exploits0References9
Drupal
Drupal
added 2014/01/22 12:0 a.m.13 views

SA-CONTRIB-2014-005 - Leaflet - Access bypass

The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features. The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector like Firebug. CVE identifiers issued ACVE identifier will be...

7AI score
Exploits0References13
Drupal
Drupal
added 2013/10/30 12:0 a.m.13 views

SA-CONTRIB-2013-083 - Quiz - Access Bypass

Access bypass on deleting quiz results The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module doesn't sufficiently check the dele...

5.8AI score
Exploits0References13
Drupal
Drupal
added 2013/07/17 12:0 a.m.13 views

SA-CONTRIB-2013-059 - Hostmaster (Aegir) - Access Bypass

This install profile and accompanying suite of modules enables you to install, upgrade, deploy, and backup Drupal sites among other things. The module doesn't sufficiently control access to running tasks on sites, under the scenario where a user successfully guesses a sites' path in the Aegir...

6.9AI score
Exploits0References12
Drupal
Drupal
added 2013/01/23 12:0 a.m.13 views

SA-CONTRIB-2013-008 - CurvyCorners - Cross Site Scripting (XSS) - module unsupported

The CurvyCorners module enables you to create rounded corners on HTML block elements. The module doesn't sufficiently filter user entered text when being displayed. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer curvycorners". CVE...

2.1CVSS6.2AI score0.02003EPSS
Exploits0References8
Drupal
Drupal
added 2012/09/12 12:0 a.m.13 views

SA-CONTRIB-2012-139 - PDFThumb OS Injection

PDFThumb module creates thumbnail images of PDF files. The module doesn't sufficiently escape user-entered values when executing commands on the server allowing an attacker to execute whatever commands are available to the web server user e.g. www-data. This vulnerability is mitigated by the fact...

7.5AI score
Exploits0References10
Drupal
Drupal
added 2012/08/08 12:0 a.m.13 views

SA-CONTRIB-2012-121 - Shorten URLs - Cross Site Scripting (XSS)

The Shorten URLs module provides an API to shorten URLs via many services like bit.ly and TinyURL, as well as a block and a page that provide an interface for easily shortening URLs. Cross Site Scripting via report The module doesn't sufficiently sanitize user input when displaying shortened URLs...

5.9AI score
Exploits0References13
Drupal
Drupal
added 2012/08/01 12:0 a.m.13 views

SA-CONTRIB-2012-119 - Excluded Users - Cross Site Scripting (XSS)

Excluded Users is a helper module which allows administrators to select users to not appear in user listings. The module displays a list of user names and email addresses without sanitizing them. In the event that someone manages to insert malicious code into a user name or email address, this...

6.2AI score
Exploits0References10
Drupal
Drupal
added 2012/07/11 12:0 a.m.13 views

SA-CONTRIB-2012-113 - Drupal Commons - Access Bypass

Drupal Commons is a ready-to-use solution for building either internal or external communities. The Drupal Commons feature a central module in the distribution includes a listing of recent comments on discussions. This listing of comments is powered by a view that doesn't fully enforce node acces...

7AI score
Exploits0References9
Drupal
Drupal
added 2012/07/11 12:0 a.m.13 views

SA-CONTRIB-2012-109 - Restrict node page view - Access bypass

This module enables you to disable direct access to node pages node/XXX based on nodetypes and permissions. The module issues a NODEACCESSALLOW if it's permissions are met, but does not respect the "administer nodes" or "access own unpublished content" permissions. The consequence is that this...

3.5CVSS6.4AI score0.00962EPSS
Exploits0References9
Drupal
Drupal
added 2012/05/30 12:0 a.m.13 views

SA-CONTRIB-2012-090 - File depot - Session Management Vulnerability

The filedepot module is a Document Management module. It fulfills the need for an integrated file management module supporting role and user based security. Documents can be saved outside the Drupal public directory to protect documents for safe access and distribution. The module has a Session...

5.1CVSS6.4AI score0.01547EPSS
Exploits0References10
Drupal
Drupal
added 2011/11/09 12:0 a.m.13 views

SA-CONTRIB-2011-055 - Webform CiviCRM Integration - Multiple vulnerabilities

The Webform CiviCRM Integration module extends the functionality of the Webform Module to link form submissions with a CiviCRM database. Version 2.0 of the module added form validation based on CiviCRM data type. A flaw in the implementation of this feature caused other validation handlers to fai...

7.9AI score
Exploits0References13
Drupal
Drupal
added 2011/11/02 12:0 a.m.13 views

SA-CONTRIB-2011-051 - Hotblocks module - multiple vulnerabilities

The HotBlocks module provides a rich experience for managing blocks. The module contained multiple vulnerabilities including Cross Site Scripting XSS, Access Bypass, and Cross Site Request Forgery CSRF. XSS is mitigated by the fact that an attacker must have a role with the permission "administer...

7AI score
Exploits0References9
Drupal
Drupal
added 2011/08/31 12:0 a.m.13 views

SA-CONTRIB-2011-037- Node Invite - Cross Site Scripting

The Node Invite module allows you to invite users with existing accounts or otherwise to specified nodes on a Drupal site. This module does not properly use t strings to ensure all text was sanitized when data was output through a formseterror message, thus creating a Cross Site Scripting XSS...

6.2AI score
Exploits0References9
Drupal
Drupal
added 2011/05/18 12:0 a.m.13 views

SA-CONTRIB-2011-021 - Webform - Multiple Vulnerabilities

Webform module enables you to create custom webform or survey nodes. These nodes typically may be created either by editorial teams or administrators. Webform does not sufficiently check directory access when a user configures an upload field. This may allow a user to upload malicious files to th...

6.2AI score
Exploits0References13
Drupal
Drupal
added 2011/03/23 12:0 a.m.13 views

SA-CONTRIB-2011-014 - Webform Block - Cross Site Scripting

The Webform Block module enables users to make a webform available as a block. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative access. The...

6.1AI score
Exploits0References10
Drupal
Drupal
added 2011/02/02 12:0 a.m.13 views

SA-CONTRIB-2011-009 - Droptor - SQL Injection

The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring and management solution. When capturing memory logging information the module does not filter the value input from the current page request variable. This vulnerability can be exploited to perform an SQL Injection attac...

7.9AI score
Exploits0References9
Drupal
Drupal
added 2010/11/17 12:0 a.m.13 views

SA-CONTRIB-2010-104 - Relevant Content - Information Disclosure

The Relevant Content module provides a block and CCK field which contain links to other nodes on the site which are considered "relevant" to the current nodes based on number of shared taxonomy terms. The Relevant Content module does not implement node access logic properly, resulting in the...

6.8AI score
Exploits0References9
Drupal
Drupal
added 2010/09/22 12:0 a.m.13 views

SA-CONTRIB-2010-094 - Embedded Media Field - Access bypass

The Embedded Media Field project is a set of modules that enable editors to post URL's and embed codes for third party media providers such as YouTube, Vimeo, or Flickr, which will be automatically parsed and displayed using preset formatters. The Embedded Video Field module packaged with the...

6.9AI score
Exploits0References15
Drupal
Drupal
added 2010/08/11 12:0 a.m.13 views

SA-CONTRIB-2010-087 - GovDelivery - Cross site scripting

The GovDelivery module provides integration with the GovDelivery On-Demand Mailer service, a web service for GovDelivery customers that sends messages directly based on configured account information. The module replaces the backend of SMTP library in your Drupal site with calls to the GovDeliver...

6AI score
Exploits0References5
Drupal
Drupal
added 2010/07/14 12:0 a.m.13 views

SA-CONTRIB-2010-074 - Drupad - Cross-site request forgery

The Drupad module is the companion module of the iPhone / iPodTouch application also called Drupad. The module doesn't check if the incoming request is made from the application, leading to a CSRF vulneraby. This vulnerability can be used to delete users and content, or set the site in offline mo...

7AI score
Exploits0References5
Drupal
Drupal
added 2010/06/16 12:0 a.m.13 views

SA-CONTRIB-2010-067 - Views - Multiple vulnerabilities

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Cross Site Request Forgery CSRF The Views UI module, which is included with Views, can be used to enable/disable Views by following a link to a particular page e.g...

7AI score
Exploits0References10
Drupal
Drupal
added 2010/05/19 12:0 a.m.13 views

SA-CONTRIB-2010-057 - Rotor Banner - Cross Site Scripting (XSS)

The Rotor Banner module allows users to upload images which can then be displayed in a block and rotated through using jQuery. However, when these images are displayed, the values for the various image attributes srs, title, alt are not properly sanitized, leading to a cross site scripting XSS...

5.6AI score
Exploits0References6
Drupal
Drupal
added 2010/05/19 12:0 a.m.13 views

SA-CONTRIB-2010-050 - CAPTCHA - Cross Site Scripting

The CAPTCHA module enables a site administrator to put a CAPTCHA form element a simple challenge that is easy for humans, but hard for automated spam bots on any form. The CAPTCHA module does not sanitize the CAPTCHA description that is added as help text to the CAPTCHA form element, allowing use...

5.9AI score
Exploits0References7
Drupal
Drupal
added 2010/05/12 12:0 a.m.13 views

SA-CONTRIB-2010-045 - Auto Assign Role - Access bypass

The Auto Assign Role serves three primary purposes. The first is to provide an automatic assignment of roles when a new account is created. The second is to allow the end user the option of choosing their own role or roles when they create their account. The third is to provide paths that will...

6.9AI score
Exploits0References5
Drupal
Drupal
added 2010/03/03 12:0 a.m.13 views

SA-CONTRIB-2010-023 - Workflow - Cross Site Scripting

When used in combination with the Token module, the Workflow module does not escape the text entered into the Comment field of the workflow fieldset on the node form. This allows a user with the permission to change the workflow state of a node to perform a Cross Site Scripting XSS attack if a...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2010/02/03 12:0 a.m.13 views

SA-CONTRIB-2010-012 - ODF Import - Access Bypass (possible Cross Site Scripting)

ODF Import module enables users of a Drupal site to import content created in the ODF format e.g. using OpenOffice.org. When importing content it always used an input format which might not be available to the user importing the content leading to a cross-site scripting XSS vulnerability. Such an...

6AI score
Exploits0References6
Drupal
Drupal
added 2010/01/06 12:0 a.m.13 views

SA-CONTRIB-2010-003 - Forward - Cross site scripting

This module allows users to forward a link to a specific node on your site to a friend. The Forward module does not properly sanitize user supplied data, allowing users with the "access administration pages" and "administer forward" permissions, or users with "access administration pages" and...

5.9AI score
Exploits0References5
Drupal
Drupal
added 2009/12/23 12:0 a.m.13 views

SA-CONTRIB-2009-113 - FAQ - Cross Site Scripting

The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before displaying it, leading t...

6.2AI score
Exploits0References6
Drupal
Drupal
added 2009/11/18 12:0 a.m.13 views

SA-CONTRIB-2009-104 - Feed Element Mapper - Cross Site Scripting

Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags, or the author name, to taxonomy or CCK fields. These mappings are configurable by a point and click interface. When configuring the mapping, some values coming from external feeds are not sanitized...

6.3AI score
Exploits0References8
Drupal
Drupal
added 2009/11/04 12:0 a.m.13 views

SA-CONTRIB-2009-091 - Node Hierarchy - Cross Site Scripting

The Node Hierarchy module enables a site administrator to arrange their site into a tree-like structure. When displaying the list of children for a node the module does not properly sanitize the titles of the child nodes before outputting them, leading to a cross-site scripting XSS vulnerability...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2009/10/28 12:0 a.m.13 views

SA-CONTRIB-2009-083 - CCK Comment Reference - Access Bypass

The CCK Comment Reference module enables administrators to define node fields that are references to comments. Users can access comments through the autocomplete path that the module provides even if they don't have access to read comments. Versions affected CCK Comment Reference module versions...

7AI score
Exploits0References6
Drupal
Drupal
added 2009/10/21 12:0 a.m.13 views

SA-CONTRIB-2009-080 - Simplenews Statistics - Multiple vulnerabilities

The Simplenews Statistics module provides newsletter statistics such as the open rate and CTR click-through rate. The module suffers multiple vulnerabilities, including Cross Site Request Forgeries CSRF, Cross Site Scripting problem Cross Site Scripting and Open Redirect. This problem allows an...

6AI score
Exploits0References6
Drupal
Drupal
added 2009/10/21 12:0 a.m.13 views

SA-CONTRIB-2009-081 - Abuse - Cross Site Scripting

The Abuse module enables users to flag nodes and comments as offensive, bringing them to the attention of the site maintainer for review. The module suffers from a Cross Site Scripting Cross Site Scripting vulnerability. Such an attack may lead to a malicious user gaining full administrative...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2009/10/14 12:0 a.m.13 views

SA-CONTRIB-2009-070 - Shibboleth authentication - Impersonation, privilege escalation

The Shibboleth authentication module provides user authentication and authorisation based on the Shibboleth Web Single Sign-on system. The module does not properly handle the changes of the underlying Shibboleth session. This can result in impersonation and possible privilege escalation if a user...

7.5AI score
Exploits0References5
Drupal
Drupal
added 2009/09/30 12:0 a.m.13 views

SA-CONTRIB-2009-068 - Boost - Filesystem Directory Creation

The Boost module provides a static file-based cache of Drupal pages for anonymous users. A vulnerability in the module allows an attacker to create new directories inside the webroot that the web server can write to. Existing directories cannot be changed using this vulnerability, but it can be...

7AI score
Exploits0References5
Drupal
Drupal
added 2009/09/16 12:0 a.m.13 views

SA-CONTRIB-2009-057 - Date - Cross Site Scripting

The Date module provides a date CCK field that can be added to any content type. The Date module does not properly escape user data correctly in some cases when setting the page title. A malicious user with permission to post date content could attempt a cross site scripting XSS attack when...

6AI score
Exploits0References6
Drupal
Drupal
added 2009/07/29 12:0 a.m.13 views

SA-CONTRIB-2009-048 - Bibliography Module - Cross Site Scripting

The Bibliography module Biblio allows users to manage and display lists of scholarly publications. The module contains a cross site scripting vulnerability because it does not properly sanitize output of titles before display. A user who has the permission to create content displayed by the...

6AI score
Exploits0References7
Drupal
Drupal
added 2009/07/22 12:0 a.m.13 views

SA-CONTRIB-2009-045: Moderation - Cross Site Request Forgery

The Moderation module uses Ajax to provide a dynamic moderation queue for nodes and comments. The module is vulnerable to cross-site request forgeries CSRF via the AJAX hooks used to toggle the moderation bit. It allows a non-administrative user to trick an admin into publishing arbitrary moderat...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2009/05/13 12:0 a.m.13 views

SA-CONTRIB-2009-026 - LoginToboggan - Access bypass

LoginToboggan includes a setting which, if enabled, allows users to log in using either their username or e-mail address. In some circumstances, previously blocked users may still be able to access the site if this setting is enabled. Versions affected LoginToboggan 6.x-1.x prior to 6.x-1.5...

6.8AI score
Exploits0References4
Drupal
Drupal
added 2009/04/29 12:0 a.m.13 views

SA-CONTRIB-2009-023 - News Page - SQL injection

The News Page module provides a node content type which displays feed items from an aggregator category, filtered by keywords entered into the 'Include Words' field of the node. Unfortunately the News Page module uses keywords directly in SQL queries without being sanitized, allowing SQL injectio...

8.1AI score
Exploits0References5
Drupal
Drupal
added 2009/03/18 12:0 a.m.13 views

SA-CONTRIB-2009-012 - Printer, e-mail and PDF versions - Unrestricted e-mailing (spam)

The "Send by e-mail" module, part of the "Printer, e-mail and PDF versions" project, allows users to send e-mail messages while viewing content on the site. This module was found to have multiple vulnerabilities. Unrestricted e-mailing spam Due to improper use of Drupal's flood control API, it is...

7.2AI score
Exploits0References4
Drupal
Drupal
added 2008/12/17 12:0 a.m.13 views

SA-2008-074 - Services - Insecure signing

Services is a module which provides an API for exposing Drupal functions. It allows clients to remotely call methods on the server and return the requested data for local processing. The module doesn't sign enough of the information that passes through it and uses an insecure hash for signing a...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2008/12/16 12:0 a.m.13 views

SA-2008-075 - Views - SQL Injection

The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. When using an exposed filter on CCK text fields with allowed values, Views does not filter the data correctly. This may allow malicious users to conduct SQL injection attacks again...

8AI score
Exploits0References7
Drupal
Drupal
added 2008/10/08 12:0 a.m.13 views

SA-2008-061 - Everyblog - Multiple vulnerabilities

The module does not follow Drupal best practices for database queries and handling of user submitted data, leading to a number of vulnerabilities. Of special concern is that an unprivileged user may become logged in to the account of an existing user, including an administrator. Versions Affected...

7.5AI score
Exploits0References1
Drupal
Drupal
added 2008/10/01 12:0 a.m.13 views

SA-2008-059 - Brilliant Gallery - SQL Injection and Cross Site Scripting

The Brilliant Gallery module allows users to publish photos in galleries. Two vulnerabilities were found in the module. SQL Injection Brilliant Gallery does not properly use the Drupal database API and inserts values from URLs directly into queries. This can be exploited to perform SQL Injection...

7.3AI score
Exploits0References5
Drupal
Drupal
added 2008/09/18 12:0 a.m.13 views

SA-2008-053 - Answers - Cross site scripting

The Answers module allows a site owner to add a Questions & Answer section to the site. Unfortunately, the module does not properly escape text, which allows malicious users who are able to post answers to insert arbitrary HTML and scripts into a page. Wikipedia has more information about such...

5.8AI score
Exploits0References2
Total number of security vulnerabilities1940