SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass

The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view permission. CVE identifiers...

SA-CONTRIB-2013-008 - CurvyCorners - Cross Site Scripting (XSS) - module unsupported

The CurvyCorners module enables you to create rounded corners on HTML block elements. The module doesn't sufficiently filter user entered text when being displayed. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer curvycorners". CVE...

SA-CONTRIB-2012-141 - Mass Contact - Access bypass

This module allows anyone with permission to send a single message to multiple users of a site, using its roles functionality. The module doesn't sufficiently check permissions after the form has been submitted. This vulnerability is mitigated by the fact that an attacker must use a tool of some...

SA-CONTRIB-2012-139 - PDFThumb OS Injection

PDFThumb module creates thumbnail images of PDF files. The module doesn't sufficiently escape user-entered values when executing commands on the server allowing an attacker to execute whatever commands are available to the web server user e.g. www-data. This vulnerability is mitigated by the fact...

SA-CONTRIB-2012-133 - Taxonomy Image - Cross Site Scripting (XSS) & Arbitrary PHP code execution

The taxonomyimage module allows site administrators to associate images with taxonomy terms. The module did not sufficiently filter retrieval of taxonomy images, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This...

SA-CONTRIB-2012-123 - Shibboleth authentication - Access Bypass

The Shibboleth authentication module provides user authentication with Shibboleth single sign-on systems both v1.3 and v2.0 as well as some authorization features automatic role assignment based on Shibboleth attributes. The module doesn't sufficiently confirm the user's active status in Drupal...

SA-CONTRIB-2012-109 - Restrict node page view - Access bypass

This module enables you to disable direct access to node pages node/XXX based on nodetypes and permissions. The module issues a NODEACCESSALLOW if it's permissions are met, but does not respect the "administer nodes" or "access own unpublished content" permissions. The consequence is that this...

SA-CONTRIB-2012-113 - Drupal Commons - Access Bypass

Drupal Commons is a ready-to-use solution for building either internal or external communities. The Drupal Commons feature a central module in the distribution includes a listing of recent comments on discussions. This listing of comments is powered by a view that doesn't fully enforce node acces...

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

CVE: CVE-2012-2305 Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system. This module does not protect a CSRF attack when creating node galleries. Versions affected 6.x-3.1 and before Drupal core is not affected. If you d...

SA-CONTRIB-2011-057 - Support Ticketing System - Cross Site Scripting (XSS)

The Support Ticketing System module provides a basic ticketing system and helpdesk that is native to Drupal, offering complete email integration. The module does not properly sanitize user-supplied content, resulting in multiple Cross-Site Scripting XSS vulnerabilities. This vulnerability is...

SA-CONTRIB-2011-058 - Support Timer - Cross Site Scripting (XSS)

The Support Timer module adds a javascript-based timer to the Support Ticketing System for tracking how long users are working on support tickets, as well as administrative reports. The module does not properly sanitize user-supplied content, resulting in multiple Cross-Site Scripting XSS...

SA-CONTRIB-2011-055 - Webform CiviCRM Integration - Multiple vulnerabilities

The Webform CiviCRM Integration module extends the functionality of the Webform Module to link form submissions with a CiviCRM database. Version 2.0 of the module added form validation based on CiviCRM data type. A flaw in the implementation of this feature caused other validation handlers to fai...

SA-CONTRIB-2011-051 - Hotblocks module - multiple vulnerabilities

The HotBlocks module provides a rich experience for managing blocks. The module contained multiple vulnerabilities including Cross Site Scripting XSS, Access Bypass, and Cross Site Request Forgery CSRF. XSS is mitigated by the fact that an attacker must have a role with the permission "administer...

SA-CONTRIB-2011-050 - Organic groups - Access bypass

Organic groups OG enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. OG has an API function to check access to an entity which is in a group "context". When the entity isn't in a...

SA-CONTRIB-2010-104 - Relevant Content - Information Disclosure

The Relevant Content module provides a block and CCK field which contain links to other nodes on the site which are considered "relevant" to the current nodes based on number of shared taxonomy terms. The Relevant Content module does not implement node access logic properly, resulting in the...

SA-CONTRIB-2010-102 - Category tokens - Cross Site Scripting

The Category tokens module exposes additional tokens for the first and last terms related to a node for each vocabulary. The module does not sanitize the vocabulary names when displayed in token help, leading to a Cross-Site Scripting XSS vulnerability that may lead to a malicious user gaining fu...

SA-CONTRIB-2010-103 - Node Relativity - Multiple vulnerabilities

The Node Relativity module allows parent-child relationships between nodes to be established, managed and searched. The Node Relativity module does not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability which can be used by a maliciou...

SA-CONTRIB-2010-083 - Ubercart sub-modules - Multiple Vulnerabilities

The Ubercart module for Drupal provides e-commerce features. Several modules within Ubercart were vulnerable to various security issues. 1. The 2Checkout gateway module did not properly verify the payment notification information. A malicious user could use a specially crafted HTTP request to...

SA-CONTRIB-2010-078 - Kaltura - Information disclosure

The Kaltura module integrates the Kaltura open source video platform with Drupal. When installing, uninstalling, or configuring the module, it would surreptitiously inject a hidden iframe into the messages displayed to the administrator with the source pointing to corp.kaltura.com/stats/drupal...

SA-CONTRIB-2010-072: Hierarchical Select - Cross Site Scripting

The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that...

SA-CONTRIB-2010-071 - MultiSafepay Integration - Cross Site Request Forgery

The MultiSafepay Integration module provides integration between the Ubercart e-commerce solution and the MultiSafepay payment system. The module is vulnerable to Cross Site Request Forgeries CSRF which would allow a malicious user to alter the status of orders or to trick other users into alteri...

SA-CONTRIB-2010-067 - Views - Multiple vulnerabilities

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Cross Site Request Forgery CSRF The Views UI module, which is included with Views, can be used to enable/disable Views by following a link to a particular page e.g...

SA-CONTRIB-2010-045 - Auto Assign Role - Access bypass

The Auto Assign Role serves three primary purposes. The first is to provide an automatic assignment of roles when a new account is created. The second is to allow the end user the option of choosing their own role or roles when they create their account. The third is to provide paths that will...

SA-CONTRIB-2010-035: Smileys - Cross Site Request Forgery

The Smileys module provides a text filter that substitutes emoticons with images. The module is vulnerable to cross-site request forgeries CSRF via the URL used to delete smileys. A user with "administer smileys" permission could be tricked into visiting the smiley delete URL and unwittingly remo...

SA-CONTRIB-2009-115 - Autocomplete Widgets for CCK Text and Number - Information Disclosure

Autocomplete Widgets module adds 2 autocomplete widgets for CCK fields of type Text and Number. The autocomplete callback implemented by this module does not honor permissions to access CCK fields, allowing users to see field values even though they are not authorized to access that information...

SA-CONTRIB-2009-114 - Automated Logout - Cross Site Scripting

This module provides a site administrator the ability to log users out after a specified time of inactivity. The module does not sanitize some of the user-supplied data before displaying it, leading to a cross-site scripting XSS vulnerability. Users who can take advantage of this vulnerability...

SA-CONTRIB-2009-113 - FAQ - Cross Site Scripting

The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before displaying it, leading t...

SA-CONTRIB-2009-103 - Strongarm - Cross Site Scripting

The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values. When using the settings page to see overridden...

SA-CONTRIB-2009-107 - Ubercart - Access bypass, Cross site request forgery

Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently...

SA-CONTRIB-2009-084 - LDAP Integration - Multiple Vulnerabilities

The LDAP Integration module enables users to authenticate against LDAP servers. The module does not properly implement confirmation pages for the LDAP server activation/deactivation which could lead to a Cross Site Request Forgery CSRF attack. The user defined server name is not properly escaped ...

SA-CONTRIB-2009-076 - Flag Content Cross Site Scripting

The Flag Content module enables users to flag nodes and users for the attention of a site maintainer e.g. for abuse, spam, trolling, ...etc.. In some specific cases, the module does not sanitize before outputting the Reason field, resulting in a cross-site scripting XSS vulnerability. Such an...

SA-CONTRIB-2009-078 - Moodle Course List - SQL Injection

The Moodle Course List module provides a block which displays links to a user's Moodle courses. In some cases the module does not properly sanitize user input, leading to a SQL Injection SQL Injection vulnerability. Such an attack may lead to a malicious user gaining full administrative access...

SA-CONTRIB-2009-067 Dex module - Cross Site Scripting, no longer maintained

The Dex: Contact Information Manager module enables contact information management with Google Maps and Yahoo Maps compatible geocoding. The module suffers from a Cross Site Scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access. This module is...

SA-CONTRIB-2009-064 - Bibliography module - Cross Site Scripting

The Bibliography module also known as Biblio allows users manage and display lists of scholarly publications. The Biblio module creates customized views in order to display these listings, and these listings contain text entered by users with the 'create biblio' permission. In some cases, the...

SA-CONTRIB-2009-055 - BUEditor - Cross Site Scripting

The BUEditor module provides a plain textarea editor designed to facilitate code writing. The module suffers from a Cross Site Scripting XSS vulnerability, which allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page using the Live...

SA-CONTRIB-2009-049 - Live - Privilege escalation, Impersonation

The Live module provides dynamic previews of content. When editing certain content nodes, the current user becomes logged in as the content's original author. Versions affected Live for Drupal 6.x prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Live module, there i...

SA-CONTRIB-2009-044 - Bubbletimer - Multiple vulnerabilities

Bubbletimer allows users to create timesheets based on nodes. It suffers from a cross-site scripting XSS vulnerability due to not properly sanitizing node titles before they are displayed. It is also vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly add...

SA-CONTRIB-2009-043 - Image Assist - Multiple vulnerabilities

The Image Assist module for Drupal 5.x and 6.x allows users to upload and insert inline images into posts. Two vulnerabilities and weaknesses were discovered in the contributed Image Assist module. Cross site scripting The node title is treated as if it was safe text, and is not escaped before...

SA-CONTRIB-2009-040 - Advanced Forum - Multiple vulnerabilities

Cross-site scripting The Advanced Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scriptin...

SA-CONTRIB-2009-038 - Nodequeue - Multiple vulnerabilities

The Nodequeue module enables an administrator to arbitrarily put nodes in a group for some purpose, such as providing a listing of nodes or featuring a particular node. It suffers from a cross-site scripting XSS vulnerability due to not properly sanitizing vocabulary names before they are...

SA-CONTRIB-2009-011 Tasklist - SQL injection and Cross site scripting

Tasklist does not properly use the Drupal database API and inserts values from the URL directly into queries. This can be exploited to perform SQL Injection attacks. These attacks may lead to a malicious user gaining full administrator access. In addition, Tasklist allows users to add CSS to page...

SA-CONTRIB-2009-003 - Internationalizaion (i18n) Translation module - Access bypass

The third-party i18n module enables users to make a translation of an existing item of content a node. In that process the existing node's content is copied into the new node. The module contains a flaw that allows a user with the 'translate node' permission to potentially bypass normal viewing...

SA-CONTRIB-2009-002 - Project issue tracking - Multiple vulnerabilities

This announcement covers the following two issues for the Project issue tracking module. 1. Under certain conditions, users may receive email updates for issues which they do not have proper access rights to. This issue is mainly a problem for sites that use a contributed node access module,...

SA-2008-070 - Comment Mail - Cross site request forgery

The Comment Mail module allows an email to be sent to the site administrators when new comments are posted. Links in the email allow for quick approval, editing, deletion of the comment and/or banning of the poster's IP address. Unfortunately some links are vulnerable to cross site request...

SA-2008-071 - User Karma - Multiple vulnerabilities

The User Karma module displays and manages karma points of users. How karma points are calculated is defined by other modules which hook into the User Karma module. Unfortunately the User Karma module allows administrators to enter a list of content types and voting API values which are then used...

SA-2008-063 - multiple third party modules - Access bypass due to incorrect Drupal 6 updates

Several contributed modules were incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls are likely to be by-passed by unprivileged users. In some cases, this includes access to the administrative functions of these modules, or access to content the user...

SA-2008-038 - Services - Arbitrary code execution

The Services module package was created out of a need for a standardized solution to integrate external applications with Drupal. It builds on concepts from Drupal core's XMLRPC interface, but abstracts service callbacks so that they may be used with multiple interfaces such as XMLRPC, SOAP, REST...

SA-2008-10 - Archive - Cross site scripting

The Archive module provides a replacement for the archive functionality that was present in Drupal 4.7. Certain URL arguments are not escaped before display. It is therefore possible to inject arbitrary HTML and script code into certain archive pages, which may lead to administrator access if...

SA-2008-001 - Devel - Cross site scripting

The devel module contains many useful developer functions, such as a query log and the display of variables. The contents of the variable table is not escaped prior to display. Should an unprivileged user be able to control the contents of a site variable, it would be possible to inject arbitrary...

SA-2007-032 - Shoutbox - Cross site scripting

Message sent from the Shoutbox block, where visitors can quickly post short messages, are not properly sanitized in a number of cases. This allows malicious users to inject arbitrary HTML and script code into the block. Learn more about cross site scripting on Wikipedia. Versions affected Shoutbo...