Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2025/02/12 12:0 a.m.12 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014

Open Social is a Drupal distribution for online communities, which ships with a default optional module sociallanguage to make your platform multilingual. Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate thes...

9.1CVSS6.8AI score0.00363EPSS
Exploits0References3
Drupal
Drupal
added 2025/02/12 12:0 a.m.12 views

Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015

Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events. Invites for a specific user can be seen under certain conditions. The issue is mitigated for events by the fact that socialeventmaxenroll has to be enabled...

8.1CVSS7AI score0.00382EPSS
Exploits0References3
Drupal
Drupal
added 2025/01/15 12:0 a.m.12 views

AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003

The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI from multiple vendors. The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface. The AI Chatbot module doesn...

8.8CVSS6.6AI score0.0021EPSS
Exploits0References8
Drupal
Drupal
added 2024/12/04 12:0 a.m.12 views

Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins. The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code. This vulnerability is mitigated by the fact...

4.8CVSS6.8AI score0.00232EPSS
Exploits0References5
Drupal
Drupal
added 2024/12/04 12:0 a.m.12 views

Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070

The Minify JS module allows a site administrator to minify all javascript files that exist in the site's code base and use those minified files on the front end of the website. Several administrator routes are unprotected against Cross-Site Request Forgery CRSF attacks...

4.5CVSS7.1AI score0.0017EPSS
Exploits0References4
Drupal
Drupal
added 2024/11/13 12:0 a.m.12 views

POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system public, private, etc. This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the...

5.4CVSS6.9AI score0.00227EPSS
Exploits0References6
Drupal
Drupal
added 2024/11/06 12:0 a.m.12 views

Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058

This module enables you to add any HTML content you want in a tooltip displayed on mouse hover. The module does not sufficiently escape the markup inserted in the tooltip block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...

4.8CVSS6.8AI score0.00232EPSS
Exploits0References7
Drupal
Drupal
added 2024/10/30 12:0 a.m.12 views

Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055

This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way. The module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting XSS vulnerability...

5.4CVSS5.9AI score0.00276EPSS
Exploits0References7
Drupal
Drupal
added 2024/10/23 12:0 a.m.12 views

Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which can result in arbitrary code execution...

4.3CVSS7.5AI score0.00339EPSS
Exploits0References7
Drupal
Drupal
added 2024/08/21 12:0 a.m.12 views

Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030

This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths. The module doesn't respect custom node access restrictions implemented through hookENTITYTYPEaccess hooks meaning the titles of restricted nod...

5.3CVSS7AI score0.0034EPSS
Exploits0References7
Drupal
Drupal
added 2024/07/31 12:0 a.m.12 views

View Password - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-026

The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes. The module doesn't validate the content of classes. A malicious user with access ...

4.8CVSS7.2AI score0.00266EPSS
Exploits0References6
Drupal
Drupal
added 2023/03/08 12:0 a.m.12 views

Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009

This module provides a new UI experience for node editing - Gutenberg editor. This vulnerability can cause DoS by using reusable blocks improperly. This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2022/05/04 12:0 a.m.12 views

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

This module enables you to add URL fields to entity types with a variety of options. The module doesn't sufficiently filter output when token processing is disabled on an individual field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2022/01/25 12:0 a.m.12 views

Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.12 views

Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2021/09/22 12:0 a.m.12 views

The Better Mega Menu - Critical - Cross Site Request Forgery - SA-CONTRIB-2021-040

This module provides an admin interface for creating drop down menus that combine Drupal menu items with rich media content. The module does not use CSRF tokens to protect routes for saving menu configurations. This vulnerability can be exploited by an anonymous user...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2021/06/02 12:0 a.m.12 views

Open Social - Critical - Authentication Bypass - SA-CONTRIB-2021-011

Open Social is a Drupal distribution for online communities. The included socialmagiclogin module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account. This vulnerability ...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2020/07/29 12:0 a.m.12 views

Group - Critical - Information Disclosure - SA-CONTRIB-2020-030

This module enables you to hand out permissions on a smaller subset, section or community of your website. The module used to leverage the node grants system but turned it off in its recent 8.x-1.0 release in favor of a system that works for ALL entity types, not just nodes. By doing so, some...

6.3AI score
Exploits0References4Affected Software1
Drupal
Drupal
added 2020/06/17 12:0 a.m.12 views

Internationalization - Moderately critical - Cross site scripting - SA-CONTRIB-2020-025

The Internationalization i18n module is a collection of modules to extend Drupal core multilingual capabilities and allows to build real life multilingual sites. A value in the term translation module is displayed without being escaped leading to a Cross Site Scripting XSS vulnerability. This...

5.9AI score
Exploits0References6
Drupal
Drupal
added 2020/05/06 12:0 a.m.12 views

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript cod...

6.6AI score
Exploits0References8
Drupal
Drupal
added 2020/04/15 12:0 a.m.12 views

JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are...

5.6AI score
Exploits0References9
Drupal
Drupal
added 2019/11/13 12:0 a.m.12 views

Bugsnag - Critical - Unsupported - SA-CONTRIB-2019-081

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/10/02 12:0 a.m.12 views

Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070

The Ubercart module provides a shopping cart and e-commerce features for Drupal. The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a rol...

5.9AI score
Exploits0References6
Drupal
Drupal
added 2019/08/14 12:0 a.m.12 views

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node. The module does not sufficiently filter configuration text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with...

5.9AI score
Exploits0References8
Drupal
Drupal
added 2019/02/27 12:0 a.m.12 views

Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027

This module enables you to configure breadcrumbs for any Drupal page. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...

5.8AI score
Exploits0References6
Drupal
Drupal
added 2019/02/20 12:0 a.m.12 views

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2019/02/20 12:0 a.m.12 views

Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2018/12/05 12:0 a.m.12 views

Salesforce Suite - Moderately critical - Access bypass - SA-CONTRIB-2018-078

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure. This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce...

6.1AI score
Exploits0References6
Drupal
Drupal
added 2017/09/20 12:0 a.m.12 views

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

This module enables you to obtain the status for a user's Skype account The module doesn't sufficiently sanitize the user input for their Skype ID. This vulnerability is mitigated by the fact that an attacker must have an account on the site and be allowed to edit/input their Skype ID. CVE...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2017/09/13 12:0 a.m.12 views

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently confirm a user's intent to take unflagging actions. CVE...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/08/16 12:0 a.m.12 views

Views - Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...

7AI score
Exploits0References16
Drupal
Drupal
added 2017/08/02 12:0 a.m.12 views

ajax_facets - Unsupported - SA-CONTRIB-2017-061

Updates The maintainer has resolved this issue, please read the release notes for more information. This module allows you to create facet filters which working by AJAX. Filters and search results will be updated by AJAX. The security team is marking this module unsupported. There is a known...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2017/08/02 12:0 a.m.12 views

html_title - Unsupported - SA-CONTRIB-2017-059

The HTML Title module allows a limited set of HTML markup em, sub, sup, b, i, strong, cite, code, bdi, wbr to be used in node titles. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like ...

7AI score
Exploits0References7
Drupal
Drupal
added 2017/05/10 12:0 a.m.12 views

DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047

The Drupal Remote Dashboard DRD module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites. The module doesn't sufficiently protect the URL used to configure itself from CSRF attacks,...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2017/04/05 12:0 a.m.12 views

Auto Login URL - Less Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-034

This module lets you create auto login URLs programmatically on demand and through tokens. The module does not provide sufficient protection when generating login URLs. An attacker could rebuild login URLs independently thereby logging in as another user. This vulnerability is mitigated by the fa...

6.9AI score
Exploits0References12
Drupal
Drupal
added 2017/02/22 12:0 a.m.12 views

Timezone Detect - Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2017-020

This module enables sites to automatically detect and set user timezones via JavaScript. The module does not sufficiently protect against Cross-Site Request Forgery CSRF: an attacker could use this vulnerability to manipulate a user's timezone setting. The security implication of this issue depen...

7AI score
Exploits0References11
Drupal
Drupal
added 2017/02/22 12:0 a.m.12 views

Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022

The Views module allows site builders to create listings of various data in the Drupal database. The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it. This is...

6.6AI score
Exploits0References12
Drupal
Drupal
added 2016/11/02 12:0 a.m.12 views

Menu Views - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-055

This module enables users to create menu items that render views instead of links. This is useful for creating "mega-menus". The module doesn't sufficiently filter title and breadcrumb fields for possible cross-site scripting. This vulnerability is mitigated by the fact that an attacker must have...

6.9AI score
Exploits0References10
Drupal
Drupal
added 2016/08/10 12:0 a.m.12 views

Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042

This module enables you to add integration with Google Analytics statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is...

7AI score
Exploits0References13
Drupal
Drupal
added 2016/06/08 12:0 a.m.12 views

Node Embed - Less critical - Denial of Service - SA-CONTRIB-2016-034

This module enables you to embed the contents of one node in the body field of another. The module doesn't sufficiently protect against a node being embedded in itself, or a loop being created of one node being embedded in another which is then itself embedded in the first node. This vulnerabilit...

6.9AI score
Exploits0References10
Drupal
Drupal
added 2016/05/18 12:0 a.m.12 views

Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

This module enables you to view dropbox files in your Drupal site. The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to...

5.2AI score
Exploits0References11
Drupal
Drupal
added 2016/05/04 12:0 a.m.12 views

Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025

This module enables you to create fieldable entities that have special integration with Panels. The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor IPE, allowing for specially crafted XSS attack...

6.1AI score
Exploits0References12
Drupal
Drupal
added 2016/04/20 12:0 a.m.12 views

Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023

This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate among themselves. Selective groups require approval in order to become a member, or even invitation-only groups. Under the certain fiel...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/03/09 12:0 a.m.12 views

Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015

When a PDF is uploaded in Scald File, various tools can be executed if they're installed on the server, to try to generate a thumbnail out of that PDF. This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creati...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2015/12/16 12:0 a.m.12 views

Open Atrium - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-174

Open Atrium distribution enables you to create an intranet. Open Atrium Core module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability XSS. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordanc...

6.7AI score
Exploits0References16
Drupal
Drupal
added 2015/10/14 12:0 a.m.12 views

Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157

This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages. The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended. This...

6.9AI score
Exploits0References13
Drupal
Drupal
added 2015/03/25 12:0 a.m.12 views

Linear Case - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-084

Linear Case module allows you to organize Closed Question documents in case studies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/25 12:0 a.m.12 views

SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS)

Ubercart Webform Integration module integrates Webform and Ubercart modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

6.6AI score
Exploits0References10
Drupal
Drupal
added 2014/12/10 12:0 a.m.13 views

SA-CONTRIB-2014-118 - Administer Users by Role - Access Bypass - Unsupported

This module enables site builders to set up fine-grained permissions for allowing users to edit and delete other users. The module doesn't sufficiently validate access permissions, enabling users who supposedly have limited permissions to grant themselves more permissions. This vulnerability is...

6.8AI score
Exploits0References10
Drupal
Drupal
added 2014/10/29 12:0 a.m.12 views

SA-CONTRIB-2014-103 - Passwordless - Cross Site Scripting (XSS)

This module replaces the regular Drupal login form with a modification of the password-request form, to give the possibility to log in without using a password. The module doesn't sufficiently sanitize user-generated text entered in the module's configuration form. This vulnerability is mitigated...

7AI score
Exploits0References10
Total number of security vulnerabilities1940