1940 matches found
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014
Open Social is a Drupal distribution for online communities, which ships with a default optional module sociallanguage to make your platform multilingual. Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate thes...
Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015
Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events. Invites for a specific user can be seen under certain conditions. The issue is mitigated for events by the fact that socialeventmaxenroll has to be enabled...
AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003
The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI from multiple vendors. The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface. The AI Chatbot module doesn...
Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071
This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins. The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code. This vulnerability is mitigated by the fact...
Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070
The Minify JS module allows a site administrator to minify all javascript files that exist in the site's code base and use those minified files on the front end of the website. Several administrator routes are unprotected against Cross-Site Request Forgery CRSF attacks...
POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060
The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system public, private, etc. This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the...
Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058
This module enables you to add any HTML content you want in a tooltip displayed on mouse hover. The module does not sufficiently escape the markup inserted in the tooltip block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...
Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055
This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way. The module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting XSS vulnerability...
Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052
This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which can result in arbitrary code execution...
Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030
This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths. The module doesn't respect custom node access restrictions implemented through hookENTITYTYPEaccess hooks meaning the titles of restricted nod...
View Password - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-026
The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes. The module doesn't validate the content of classes. A malicious user with access ...
Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009
This module provides a new UI experience for node editing - Gutenberg editor. This vulnerability can cause DoS by using reusable blocks improperly. This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it...
Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034
This module enables you to add URL fields to entity types with a variety of options. The module doesn't sufficiently filter output when token processing is disabled on an individual field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...
Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
The Better Mega Menu - Critical - Cross Site Request Forgery - SA-CONTRIB-2021-040
This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not use CSRF tokens to protect routes for saving menu configurations. This vulnerability can be exploited by an anonymous user...
Open Social - Critical - Authentication Bypass - SA-CONTRIB-2021-011
Open Social is a Drupal distribution for online communities. The included socialmagiclogin module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account. This vulnerability ...
Group - Critical - Information Disclosure - SA-CONTRIB-2020-030
This module enables you to hand out permissions on a smaller subset, section or community of your website. The module used to leverage the node grants system but turned it off in its recent 8.x-1.0 release in favor of a system that works for ALL entity types, not just nodes. By doing so, some...
Internationalization - Moderately critical - Cross site scripting - SA-CONTRIB-2020-025
The Internationalization i18n module is a collection of modules to extend Drupal core multilingual capabilities and allows to build real life multilingual sites. A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting XSS vulnerability. This...
Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014
This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript cod...
JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010
This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are...
Bugsnag - Critical - Unsupported - SA-CONTRIB-2019-081
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070
The Ubercart module provides a shopping cart and e-commerce features for Drupal. The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a rol...
scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061
The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node. The module does not sufficiently filter configuration text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with...
Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027
This module enables you to configure breadcrumbs for any Drupal page. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...
Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Salesforce Suite - Moderately critical - Access bypass - SA-CONTRIB-2018-078
This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure. This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce...
Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076
This module enables you to obtain the status for a user's Skype account The module doesn't sufficiently sanitize the user input for their Skype ID. This vulnerability is mitigated by the fact that an attacker must have an account on the site and be allowed to edit/input their Skype ID. CVE...
Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074
The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently confirm a user's intent to take unflagging actions. CVE...
Views - Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068
When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...
ajax_facets - Unsupported - SA-CONTRIB-2017-061
Updates The maintainer has resolved this issue, please read the release notes for more information. This module allows you to create facet filters which working by AJAX. Filters and search results will be updated by AJAX. The security team is marking this module unsupported. There is a known...
html_title - Unsupported - SA-CONTRIB-2017-059
The HTML Title module allows a limited set of HTML markup em, sub, sup, b, i, strong, cite, code, bdi, wbr to be used in node titles. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like ...
DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047
The Drupal Remote Dashboard DRD module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites. The module doesn't sufficiently protect the URL used to configure itself from CSRF attacks,...
Auto Login URL - Less Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-034
This module lets you create auto login URLs programmatically on demand and through tokens. The module does not provide sufficient protection when generating login URLs. An attacker could rebuild login URLs independently thereby logging in as another user. This vulnerability is mitigated by the fa...
Timezone Detect - Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2017-020
This module enables sites to automatically detect and set user timezones via JavaScript. The module does not sufficiently protect against Cross-Site Request Forgery CSRF: an attacker could use this vulnerability to manipulate a user's timezone setting. The security implication of this issue depen...
Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022
The Views module allows site builders to create listings of various data in the Drupal database. The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it. This is...
Menu Views - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-055
This module enables users to create menu items that render views instead of links. This is useful for creating "mega-menus". The module doesn't sufficiently filter title and breadcrumb fields for possible cross-site scripting. This vulnerability is mitigated by the fact that an attacker must have...
Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042
This module enables you to add integration with Google Analytics statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is...
Node Embed - Less critical - Denial of Service - SA-CONTRIB-2016-034
This module enables you to embed the contents of one node in the body field of another. The module doesn't sufficiently protect against a node being embedded in itself, or a loop being created of one node being embedded in another which is then itself embedded in the first node. This vulnerabilit...
Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027
This module enables you to view dropbox files in your Drupal site. The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to...
Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025
This module enables you to create fieldable entities that have special integration with Panels. The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor IPE, allowing for specially crafted XSS attack...
Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023
This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate among themselves. Selective groups require approval in order to become a member, or even invitation-only groups. Under the certain fiel...
Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015
When a PDF is uploaded in Scald File, various tools can be executed if they're installed on the server, to try to generate a thumbnail out of that PDF. This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creati...
Open Atrium - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-174
Open Atrium distribution enables you to create an intranet. Open Atrium Core module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability XSS. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordanc...
Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157
This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages. The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended. This...
Linear Case - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-084
Linear Case module allows you to organize Closed Question documents in case studies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...
SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS)
Ubercart Webform Integration module integrates Webform and Ubercart modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...
SA-CONTRIB-2014-118 - Administer Users by Role - Access Bypass - Unsupported
This module enables site builders to set up fine-grained permissions for allowing users to edit and delete other users. The module doesn't sufficiently validate access permissions, enabling users who supposedly have limited permissions to grant themselves more permissions. This vulnerability is...
SA-CONTRIB-2014-103 - Passwordless - Cross Site Scripting (XSS)
This module replaces the regular Drupal login form with a modification of the password-request form, to give the possibility to log in without using a password. The module doesn't sufficiently sanitize user-generated text entered in the module's configuration form. This vulnerability is mitigated...