1940 matches found
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011
The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal, along with a hotfix for that update. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can...
Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043
This module enables aklump/loftdatagrids to be used as a Drupal module. Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: CVE-2018-19277: PHPOffice/PhpSpreadsheet771. Excel support has since been...
Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential. This vulnerability is mitigated ...
Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008
The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass...
Better Exposed Filters - Less Critical - Cross Site Sscripting (XSS) - SA-CONTRIB-2017-009
The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements. The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected. This vulnerability is mitigated by the fact that an...
Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
This module enables users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow. The module doesn't sufficiently validate authentication under specific...
Search API Solr - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-046
This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability is mitigated by the fact that a site admin would have to perform further steps afte...
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has...
Drupal core - Less critical - Access bypass - SA-CORE-2020-006
JSON:API PATCH requests may bypass validation for certain fields. By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the readonly set to FALSE under jsonapi.settings config are vulnerable...
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011
Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended. Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories: Failure to strip the Cookie header on change in host or HTTP...
Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter...
Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010
Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. This advisory is not covered by Drupal Steward...
Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003
Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupalgoto function...
Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual...
Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2023-048
This module enables users to log in by email address with minimal configurations. Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks. A previous security advisory,...
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However,...
oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048
This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for...
Admin Toolbar Search - Critical - Unsupported - SA-CONTRIB-2022-008
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007
The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module which comes with the Standard profile is installed. Removing the...
Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022
Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider...
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covere...
Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service DOS. Sites that do not use the Comment module are not affected...
Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011
A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file...
SpamSpan filter - Moderately critical - Cross site scripting - SA-CONTRIB-2020-002
The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. This module contains a spamspan twig filter which doesn't sanitize the passed HTML string. This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpa...
OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134
The Open Semantic Framework OSF for Drupal is a middleware layer that allows structured data RDF and associated vocabularies ontologies to "drive" tailored tools and data displays within Drupal. The module is vulnerable to reflected Cross Site Scripting XSS because it did not sufficiently filter...
SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service
This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive...
SA-2007-024 - Drupal Core - HTTP response splitting
In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache...
Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008
This module enables you to add the Matomo web statistics tracking system to your website. The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website. The module does not protect against Cross Site Request Forgeries on routes to enable or disabl...
Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015
Chaos tool suite ctools module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them. The module doesn't sufficiently handle block access control on its EntityView...
Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141
Cross Site Scripting XSS Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Entityreference. Many features introduced in Drupal Core once lived in ctools. This vulnerability can be mitigated...
SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting (XSS)
The Drupal FileField module lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means. The FileField Sources module contains a persistent cross site scripting XSS...
TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016
This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting XSS vulnerability. More details are available in CVE-2023-3620. This vulnerability is...
SA-CONTRIB-2015-042 - Node basket - Multiple vulnerabilities - Unsupported
Node basket module enables you to pick up nodes in a basket. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with permission to...
SA-CONTRIB-2015-032 - Node Invite - Multiple vulnerabilities
Node Invite module enables you to invite people to RSVP on node types that have been configured to represent events. The module doesn't sufficiently sanitize the titles of nodes in some listings, allowing a malicious user to inject code, thereby leading to a Cross Site Scripting XSS vulnerability...
SA-CONTRIB-2014-001 - Entity API - Access Bypass
The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. Comment, User and Node Statistics property access bypass CVE-2014-1398 The module's entity wrapper access API doesn't sufficiently protect comment, user and no...
SA-CONTRIB-2013-060 - Scald - Cross Site Scripting (XSS)
This module enables you to handle media assets atoms in Drupal with a Views-based library, drag and drop interface and manage content attribution/licensing/distribution. The module doesn't sufficiently filter atom properties such as the atom title when outputting atoms, thereby exposing a Cross...
SA-CONTRIB-2012-166 - Table of Contents - Access Bypass
This module enables you to generates a list of select header tags in a box that looks like a table of contents or summary. The links added to that box point to the headers so users can quickly access each section of your documents. The module doesn't sufficiently check for node access restriction...
Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004
The Drupal project uses the pear ArchiveTar library, which has released a security update that impacts Drupal. The vulnerability is mitigated by the fact that Drupal core's use of the ArchiveTar library is not vulnerable, as it does not permit symlinks. Exploitation may be possible if contrib or...
Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001
The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations. Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit...
Search API Autocomplete - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-140
This module enables you to add autocomplete suggestions for search forms created with the Search API module. The module doesn't sufficiently sanitize the HTML output for the returned suggestions, theoretically allowing an attacker to include custom HTML there. This vulnerability is mitigated by t...
SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported
This module contains a simple addressbook. The module has multiple issues including SQL Injection and Cross Site Request Forgery. For the SQL Injection issue - CVE: CVE-2012-2306 For the CSRF issue - CVE: CVE-2012-2307 Versions affected 6.x-4.2 and before Drupal core is not affected. If you do no...
Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
Bulk operations allow authorized users to modify several nodes at once from the Content page /admin/content. A site builder can also add bulk operations to other pages using Views. A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have...
Advanced PWA inc Push Notifications - Critical - Access bypass - SA-CONTRIB-2024-017
Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications. This module doesn't sufficiently protect...
File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001
File entity provides interfaces for managing files. It also extends the core file entity, allowing files to be fieldable, grouped into types, viewed using display modes and formatted using field formatters. The module previously did not sufficiently validate files under the scenario of a file...
Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003
The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages. The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content...
Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006
The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to...
COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092
This module allows you to manage video media items using the COOKiES module disabling external video elements. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might...
Apache Solr Real-Time - Critical - Access Bypass - SA-CONTRIB-2015-119
This module allows content-changes to be committed to Apache Solr in real-time. The module doesn't check the status of an entity being indexed which means that unpublished content will get indexed by Solr and the title and partial content may be exposed to any user who has permission to search si...
SA-CONTRIB-2015-031 - GD Infinite Scroll - Multiple vulnerabilites
GD Infinite Scroll module enables you to use the "infinite scroll jQuery plugin : auto-pager" on custom pages. Some links were not protected against CSRF. A malicious user could cause another user with the "edit gd infinite scroll settings" permission to delete settings by getting his browser to...
SA-CONTRIB-2014-126 - Open Atrium - Multiple vulnerabilities
This distribution enables you to create an intranet. Several of the sub modules included do not prevent CSRF on several menu callbacks. Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with "access content" to update and delete...