Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2021/11/17 12:0 a.m.•45 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal, along with a hotfix for that update. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can...

8.2CVSS6.1AI score0.0147EPSS
Exploits0References16
Drupal
Drupal
•added 2021/10/13 12:0 a.m.•45 views

Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043

This module enables aklump/loftdatagrids to be used as a Drupal module. Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: CVE-2018-19277: PHPOffice/PhpSpreadsheet771. Excel support has since been...

8.8CVSS6.7AI score0.07791EPSS
Exploits4References9
Drupal
Drupal
•added 2023/07/12 12:0 a.m.•44 views

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential. This vulnerability is mitigated ...

7AI score
Exploits0References15
Drupal
Drupal
•added 2020/09/16 12:0 a.m.•44 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2020-008

The experimental Workspaces module allows you to create multiple workspaces on your site in which draft content can be edited before being published to the live workspace. The Workspaces module doesn't sufficiently check access permissions when switching workspaces, leading to an access bypass...

5.3CVSS2.1AI score0.00928EPSS
Exploits0References7
Drupal
Drupal
•added 2017/02/01 12:0 a.m.•44 views

Better Exposed Filters - Less Critical - Cross Site Sscripting (XSS) - SA-CONTRIB-2017-009

The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements. The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected. This vulnerability is mitigated by the fact that an...

6.9AI score
Exploits0References12
Drupal
Drupal
•added 2025/08/13 12:0 a.m.•43 views

Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096

This module enables users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow. The module doesn't sufficiently validate authentication under specific...

9.8CVSS7.1AI score0.00492EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/23 12:0 a.m.•43 views

Search API Solr - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-046

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability is mitigated by the fact that a site admin would have to perform further steps afte...

4.3CVSS6.8AI score0.00128EPSS
Exploits0References2
Drupal
Drupal
•added 2022/03/21 12:0 a.m.•43 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has...

7.5CVSS0.3AI score0.02384EPSS
Exploits0References13
Drupal
Drupal
•added 2020/06/17 12:0 a.m.•43 views

Drupal core - Less critical - Access bypass - SA-CORE-2020-006

JSON:API PATCH requests may bypass validation for certain fields. By default, JSON:API works in a read-only mode which makes it impossible to exploit the vulnerability. Only sites that have the readonly set to FALSE under jsonapi.settings config are vulnerable...

9.8CVSS2.1AI score0.01275EPSS
Exploits0References5
Drupal
Drupal
•added 2022/06/10 12:0 a.m.•42 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended. Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories: Failure to strip the Cookie header on change in host or HTTP...

0.1AI score
Exploits0References20
Drupal
Drupal
•added 2022/04/20 12:0 a.m.•42 views

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter...

7.5CVSS3.8AI score0.00568EPSS
Exploits0References8
Drupal
Drupal
•added 2021/09/15 12:0 a.m.•42 views

Drupal core - Moderately critical - Access Bypass - SA-CORE-2021-010

Under some circumstances, the Drupal core JSON:API module does not properly restrict access to certain content, which may result in unintended access bypass. Sites that do not have the JSON:API module enabled are not affected. This advisory is not covered by Drupal Steward...

7.5CVSS2.7AI score0.01053EPSS
Exploits0References9
Drupal
Drupal
•added 2020/05/20 12:0 a.m.•41 views

Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupalgoto function...

6.1CVSS4.4AI score0.00864EPSS
Exploits0References6
Drupal
Drupal
•added 2022/04/20 12:0 a.m.•40 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual...

5.4CVSS2.8AI score0.00423EPSS
Exploits0References10
Drupal
Drupal
•added 2023/10/04 12:0 a.m.•39 views

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2023-048

This module enables users to log in by email address with minimal configurations. Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks. A previous security advisory,...

6.7AI score
Exploits0References12
Drupal
Drupal
•added 2022/07/20 12:0 a.m.•39 views

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However,...

7.5CVSS0.8AI score0.00667EPSS
Exploits0References19
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•38 views

oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048

This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for...

6.1CVSS5.8AI score0.00195EPSS
Exploits0References2
Drupal
Drupal
•added 2022/01/25 12:0 a.m.•38 views

Admin Toolbar Search - Critical - Unsupported - SA-CONTRIB-2022-008

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
•added 2021/09/15 12:0 a.m.•38 views

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-007

The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module which comes with the Standard profile is installed. Removing the...

6.5CVSS3AI score0.00456EPSS
Exploits0References16
Drupal
Drupal
•added 2024/05/29 12:0 a.m.•37 views

Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022

Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider...

9.8CVSS7.3AI score0.00629EPSS
Exploits0References9
Drupal
Drupal
•added 2022/07/20 12:0 a.m.•37 views

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covere...

6.1CVSS3.3AI score0.00526EPSS
Exploits0References16
Drupal
Drupal
•added 2024/01/17 12:0 a.m.•36 views

Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service DOS. Sites that do not use the Comment module are not affected...

7.5CVSS6.9AI score0.00457EPSS
Exploits0References12
Drupal
Drupal
•added 2020/09/16 12:0 a.m.•36 views

Drupal core - Moderately critical - Information disclosure - SA-CORE-2020-011

A vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file...

7.5CVSS3.6AI score0.01106EPSS
Exploits0References16
Drupal
Drupal
•added 2020/01/22 12:0 a.m.•36 views

SpamSpan filter - Moderately critical - Cross site scripting - SA-CONTRIB-2020-002

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. This module contains a spamspan twig filter which doesn't sanitize the passed HTML string. This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpa...

6.4AI score
Exploits0References6Affected Software1
Drupal
Drupal
•added 2015/07/22 12:0 a.m.•36 views

OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134

The Open Semantic Framework OSF for Drupal is a middleware layer that allows structured data RDF and associated vocabularies ontologies to "drive" tailored tools and data displays within Drupal. The module is vulnerable to reflected Cross Site Scripting XSS because it did not sufficiently filter...

5.1CVSS5.5AI score0.02003EPSS
Exploits0References9
Drupal
Drupal
•added 2014/11/19 12:0 a.m.•36 views

SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service

This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive...

5CVSS6.4AI score0.82234EPSS
Exploits3References13
Drupal
Drupal
•added 2007/10/17 12:0 a.m.•36 views

SA-2007-024 - Drupal Core - HTTP response splitting

In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache...

7.7AI score
Exploits0References5
Drupal
Drupal
•added 2025/01/29 12:0 a.m.•35 views

Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008

This module enables you to add the Matomo web statistics tracking system to your website. The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website. The module does not protect against Cross Site Request Forgeries on routes to enable or disabl...

6.8CVSS6.9AI score0.00167EPSS
Exploits0References4
Drupal
Drupal
•added 2021/06/16 12:0 a.m.•35 views

Chaos Tool Suite (ctools) - Moderately critical - Access bypass - SA-CONTRIB-2021-015

Chaos tool suite ctools module provides a number of APIs and extensions for Drupal, its 8.x-3.x branch is a start from scratch to evaluate the features of ctools that didn't make it into Drupal Core 8.0.x and port them. The module doesn't sufficiently handle block access control on its EntityView...

6.5AI score
Exploits0References7
Drupal
Drupal
•added 2015/08/19 12:0 a.m.•35 views

Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141

Cross Site Scripting XSS Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Entityreference. Many features introduced in Drupal Core once lived in ctools. This vulnerability can be mitigated...

7.5CVSS7.3AI score0.02689EPSS
Exploits0References18
Drupal
Drupal
•added 2012/09/19 12:0 a.m.•35 views

SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting (XSS)

The Drupal FileField module lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means. The FileField Sources module contains a persistent cross site scripting XSS...

2.1CVSS5.5AI score0.00941EPSS
Exploits0References9
Drupal
Drupal
•added 2024/03/27 12:0 a.m.•34 views

TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting XSS vulnerability. More details are available in CVE-2023-3620. This vulnerability is...

5.4CVSS5.8AI score0.00542EPSS
Exploits1References6
Drupal
Drupal
•added 2015/02/11 12:0 a.m.•34 views

SA-CONTRIB-2015-042 - Node basket - Multiple vulnerabilities - Unsupported

Node basket module enables you to pick up nodes in a basket. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with permission to...

5.8CVSS5.5AI score0.01191EPSS
Exploits0References8
Drupal
Drupal
•added 2015/01/28 12:0 a.m.•34 views

SA-CONTRIB-2015-032 - Node Invite - Multiple vulnerabilities

Node Invite module enables you to invite people to RSVP on node types that have been configured to represent events. The module doesn't sufficiently sanitize the titles of nodes in some listings, allowing a malicious user to inject code, thereby leading to a Cross Site Scripting XSS vulnerability...

6.8CVSS5.5AI score0.01204EPSS
Exploits0References9
Drupal
Drupal
•added 2014/01/08 12:0 a.m.•34 views

SA-CONTRIB-2014-001 - Entity API - Access Bypass

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. Comment, User and Node Statistics property access bypass CVE-2014-1398 The module's entity wrapper access API doesn't sufficiently protect comment, user and no...

6.5CVSS6.3AI score0.0149EPSS
Exploits0References14
Drupal
Drupal
•added 2013/07/24 12:0 a.m.•34 views

SA-CONTRIB-2013-060 - Scald - Cross Site Scripting (XSS)

This module enables you to handle media assets atoms in Drupal with a Views-based library, drag and drop interface and manage content attribution/licensing/distribution. The module doesn't sufficiently filter atom properties such as the atom title when outputting atoms, thereby exposing a Cross...

4.3CVSS5.6AI score0.01425EPSS
Exploits1References9
Drupal
Drupal
•added 2012/11/14 12:0 a.m.•34 views

SA-CONTRIB-2012-166 - Table of Contents - Access Bypass

This module enables you to generates a list of select header tags in a box that looks like a table of contents or summary. The links added to that box point to the headers so users can quickly access each section of your documents. The module doesn't sufficiently check for node access restriction...

4.3CVSS6.3AI score0.01191EPSS
Exploits0References9
Drupal
Drupal
•added 2021/07/21 12:0 a.m.•34 views

Drupal core - Critical - Drupal core - Critical - Third-party libraries - SA-CORE-2021-004

The Drupal project uses the pear ArchiveTar library, which has released a security update that impacts Drupal. The vulnerability is mitigated by the fact that Drupal core's use of the ArchiveTar library is not vulnerable, as it does not permit symlinks. Exploitation may be possible if contrib or...

7.1CVSS1.9AI score0.73377EPSS
Exploits0References10
Drupal
Drupal
•added 2020/03/18 12:0 a.m.•33 views

Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations. Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit...

5.9AI score
Exploits0References3
Drupal
Drupal
•added 2015/08/19 12:0 a.m.•33 views

Search API Autocomplete - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-140

This module enables you to add autocomplete suggestions for search forms created with the Search API module. The module doesn't sufficiently sanitize the HTML output for the returned suggestions, theoretically allowing an attacker to include custom HTML there. This vulnerability is mitigated by t...

2.1CVSS6.2AI score0.00744EPSS
Exploits0References10
Drupal
Drupal
•added 2012/05/02 12:0 a.m.•33 views

SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported

This module contains a simple addressbook. The module has multiple issues including SQL Injection and Cross Site Request Forgery. For the SQL Injection issue - CVE: CVE-2012-2306 For the CSRF issue - CVE: CVE-2012-2307 Versions affected 6.x-4.2 and before Drupal core is not affected. If you do no...

7.5CVSS7.5AI score0.0121EPSS
Exploits0References7
Drupal
Drupal
•added 2025/02/19 12:0 a.m.•32 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002

Bulk operations allow authorized users to modify several nodes at once from the Content page /admin/content. A site builder can also add bulk operations to other pages using Views. A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have...

4.6CVSS6.8AI score0.00293EPSS
Exploits0References7
Drupal
Drupal
•added 2024/04/24 12:0 a.m.•32 views

Advanced PWA inc Push Notifications - Critical - Access bypass - SA-CONTRIB-2024-017

Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications. This module doesn't sufficiently protect...

9.1CVSS6.7AI score0.00363EPSS
Exploits0References9
Drupal
Drupal
•added 2024/01/10 12:0 a.m.•32 views

File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001

File entity provides interfaces for managing files. It also extends the core file entity, allowing files to be fieldable, grouped into types, viewed using display modes and formatted using field formatters. The module previously did not sufficiently validate files under the scenario of a file...

5.4CVSS7AI score0.00232EPSS
Exploits0References7
Drupal
Drupal
•added 2023/03/15 12:0 a.m.•32 views

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages. The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content...

1.2AI score
Exploits0References13
Drupal
Drupal
•added 2021/09/15 12:0 a.m.•32 views

Drupal core - Moderately critical - Cross Site Request Forgery - SA-CORE-2021-006

The Drupal core Media module allows embedding internal and external media in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed media. In some cases, this could lead to...

6.1CVSS0.8AI score0.00259EPSS
Exploits0References15
Drupal
Drupal
•added 2025/07/23 12:0 a.m.•31 views

COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092

This module allows you to manage video media items using the COOKiES module disabling external video elements. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might...

7.6CVSS6.8AI score0.00274EPSS
Exploits0References2
Drupal
Drupal
•added 2015/06/17 12:0 a.m.•31 views

Apache Solr Real-Time - Critical - Access Bypass - SA-CONTRIB-2015-119

This module allows content-changes to be committed to Apache Solr in real-time. The module doesn't check the status of an entity being indexed which means that unpublished content will get indexed by Solr and the title and partial content may be exposed to any user who has permission to search si...

5CVSS6.1AI score0.01396EPSS
Exploits0References11
Drupal
Drupal
•added 2015/01/28 12:0 a.m.•31 views

SA-CONTRIB-2015-031 - GD Infinite Scroll - Multiple vulnerabilites

GD Infinite Scroll module enables you to use the "infinite scroll jQuery plugin : auto-pager" on custom pages. Some links were not protected against CSRF. A malicious user could cause another user with the "edit gd infinite scroll settings" permission to delete settings by getting his browser to...

6.8CVSS5.5AI score0.01148EPSS
Exploits0References10
Drupal
Drupal
•added 2014/12/17 12:0 a.m.•31 views

SA-CONTRIB-2014-126 - Open Atrium - Multiple vulnerabilities

This distribution enables you to create an intranet. Several of the sub modules included do not prevent CSRF on several menu callbacks. Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with "access content" to update and delete...

8.8CVSS7.2AI score0.01612EPSS
Exploits0References12
Total number of security vulnerabilities1940