Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2013/01/23 12:0 a.m.12 views

SA-CONTRIB-2013-008 - CurvyCorners - Cross Site Scripting (XSS) - module unsupported

The CurvyCorners module enables you to create rounded corners on HTML block elements. The module doesn't sufficiently filter user entered text when being displayed. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer curvycorners". CVE...

2.1CVSS6.2AI score0.02003EPSS
Exploits0References8
Drupal
Drupal
added 2012/09/12 12:0 a.m.12 views

SA-CONTRIB-2012-139 - PDFThumb OS Injection

PDFThumb module creates thumbnail images of PDF files. The module doesn't sufficiently escape user-entered values when executing commands on the server allowing an attacker to execute whatever commands are available to the web server user e.g. www-data. This vulnerability is mitigated by the fact...

7.5AI score
Exploits0References10
Drupal
Drupal
added 2012/08/29 12:0 a.m.12 views

SA-CONTRIB-2012-132 - Announcements - Access Bypass

The Announcements module creates an "announcement" content type and provides both node views and block lists. The module doesn't sufficiently check node access under certain conditions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access...

7AI score
Exploits0References9
Drupal
Drupal
added 2012/07/25 12:0 a.m.12 views

SA-CONTRIB-2012-117 - Location - Access Bypass

The Location module allows real-world geographic locations to be associated with Drupal nodes, including people, places, and other content. The Location Search sub-module adds a search page for searching for locations. The Location Search module fails to enforce content and user access permission...

7AI score
Exploits0References10
Drupal
Drupal
added 2012/07/25 12:0 a.m.12 views

SA-CONTRIB-2012-115 - Gallery formatter - Cross Site Scripting (XSS)

Gallery formatter provides a field formatter for images that turns the fields into jQuery galleries. The module did not properly escape input from the user before printing it to the browser, allowing malicious users to inject script code into the page. This vulnerability is mitigated by the fact...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2011/11/30 12:0 a.m.12 views

SA-CONTRIB-2011-057 - Support Ticketing System - Cross Site Scripting (XSS)

The Support Ticketing System module provides a basic ticketing system and helpdesk that is native to Drupal, offering complete email integration. The module does not properly sanitize user-supplied content, resulting in multiple Cross-Site Scripting XSS vulnerabilities. This vulnerability is...

6.2AI score
Exploits0References10
Drupal
Drupal
added 2011/11/30 12:0 a.m.12 views

SA-CONTRIB-2011-058 - Support Timer - Cross Site Scripting (XSS)

The Support Timer module adds a javascript-based timer to the Support Ticketing System for tracking how long users are working on support tickets, as well as administrative reports. The module does not properly sanitize user-supplied content, resulting in multiple Cross-Site Scripting XSS...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2011/09/07 12:0 a.m.12 views

SA-CONTRIB-2011-040 Author Pane access bypass

The Author Pane module provides information about users on a site. This module has integration with several other modules including the user locations of the Location module. If you enabled display of user locations the Author Pane module may have shown user locations to site visitors who did not...

6.6AI score
Exploits0References10
Drupal
Drupal
added 2011/06/22 12:0 a.m.12 views

SA-CONTRIB-2011-025 - Juitter & Download Count - Cross Site Scripting (XSS)

Two modules are being unsupported due to cross site scripting issues. The Juitter module enables you to use Juitter, a jQuery plugin, to put live Twitter search results on your site. The Juitter module contains a cross site scripting XSS vulnerability that can be exploited when setting up the...

5.8AI score
Exploits0References10
Drupal
Drupal
added 2011/03/23 12:0 a.m.12 views

SA-CONTRIB-2011-014 - Webform Block - Cross Site Scripting

The Webform Block module enables users to make a webform available as a block. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative access. The...

6.1AI score
Exploits0References10
Drupal
Drupal
added 2010/11/10 12:0 a.m.12 views

SA-CONTRIB-2010-103 - Node Relativity - Multiple vulnerabilities

The Node Relativity module allows parent-child relationships between nodes to be established, managed and searched. The Node Relativity module does not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability which can be used by a maliciou...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2010/08/11 12:0 a.m.12 views

SA-CONTRIB-2010-083 - Ubercart sub-modules - Multiple Vulnerabilities

The Ubercart module for Drupal provides e-commerce features. Several modules within Ubercart were vulnerable to various security issues. 1. The 2Checkout gateway module did not properly verify the payment notification information. A malicious user could use a specially crafted HTTP request to...

7AI score
Exploits0References9
Drupal
Drupal
added 2010/07/28 12:0 a.m.12 views

SA-CONTRIB-2010-078 - Kaltura - Information disclosure

The Kaltura module integrates the Kaltura open source video platform with Drupal. When installing, uninstalling, or configuring the module, it would surreptitiously inject a hidden iframe into the messages displayed to the administrator with the source pointing to corp.kaltura.com/stats/drupal...

6.9AI score
Exploits0References9
Drupal
Drupal
added 2010/07/07 12:0 a.m.12 views

SA-CONTRIB-2010-071 - MultiSafepay Integration - Cross Site Request Forgery

The MultiSafepay Integration module provides integration between the Ubercart e-commerce solution and the MultiSafepay payment system. The module is vulnerable to Cross Site Request Forgeries CSRF which would allow a malicious user to alter the status of orders or to trick other users into alteri...

7.3AI score
Exploits0References7
Drupal
Drupal
added 2010/05/12 12:0 a.m.12 views

SA-CONTRIB-2010-045 - Auto Assign Role - Access bypass

The Auto Assign Role serves three primary purposes. The first is to provide an automatic assignment of roles when a new account is created. The second is to allow the end user the option of choosing their own role or roles when they create their account. The third is to provide paths that will...

6.9AI score
Exploits0References5
Drupal
Drupal
added 2010/05/12 12:0 a.m.12 views

SA-CONTRIB-2010-046: Award - Cross Site Scripting

The Award module allows administrators to identify one or more content types as "awards" that can be granted to users. When the title of an award is displayed on a user's profile page it is not properly sanitized, resulting in a cross site scripting vulnerability. Attackers must have the permissi...

6.3AI score
Exploits0References7
Drupal
Drupal
added 2010/05/05 12:0 a.m.12 views

SA-CONTRIB-2010-040: FileField - Access Bypass

FileField provides a file upload field for CCK, allowing files to be attached to a node. FileField intends to set a default extension of "txt" for all new fields, but may actually save an empty string allowing all extensions if an administrator does not save the field configuration page after...

7.3AI score
Exploits0References5
Drupal
Drupal
added 2010/04/28 12:0 a.m.12 views

SA-CONTRIB-2010-038 - Privatemsg - Access bypass

The Privatemsg module allows to send private messages between users. Additionally, the sub module Privatemsg Email Notification sends e-mail notification when such a message is sent. The page to configure the template for these e-mails does not use the correct access permission which allows all...

6.9AI score
Exploits0References5
Drupal
Drupal
added 2010/04/07 12:0 a.m.12 views

SA-CONTRIB-2010-035: Smileys - Cross Site Request Forgery

The Smileys module provides a text filter that substitutes emoticons with images. The module is vulnerable to cross-site request forgeries CSRF via the URL used to delete smileys. A user with "administer smileys" permission could be tricked into visiting the smiley delete URL and unwittingly remo...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2010/02/24 12:0 a.m.12 views

SA-CONTRIB-2010-019 - Weekly Archive by Node Type - Access Bypass

The Weekly Archive by Node Type module generates weekly archive pages and a block with links to the pages. You can specify the node types that will be included in the archive pages. In weekly summaries listings, the Weekly Archive by Node Type module does not construct its SQL query to respect no...

7.7AI score
Exploits0References4
Drupal
Drupal
added 2009/12/30 12:0 a.m.12 views

SA-CONTRIB-2009-115 - Autocomplete Widgets for CCK Text and Number - Information Disclosure

Autocomplete Widgets module adds 2 autocomplete widgets for CCK fields of type Text and Number. The autocomplete callback implemented by this module does not honor permissions to access CCK fields, allowing users to see field values even though they are not authorized to access that information...

7.1AI score
Exploits0References5
Drupal
Drupal
added 2009/12/23 12:0 a.m.12 views

SA-CONTRIB-2009-114 - Automated Logout - Cross Site Scripting

This module provides a site administrator the ability to log users out after a specified time of inactivity. The module does not sanitize some of the user-supplied data before displaying it, leading to a cross-site scripting XSS vulnerability. Users who can take advantage of this vulnerability...

6.1AI score
Exploits0References8
Drupal
Drupal
added 2009/11/18 12:0 a.m.12 views

SA-CONTRIB-2009-107 - Ubercart - Access bypass, Cross site request forgery

Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2009/11/18 12:0 a.m.12 views

SA-CONTRIB-2009-103 - Strongarm - Cross Site Scripting

The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values. When using the settings page to see overridden...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2009/11/04 12:0 a.m.12 views

SA-CONTRIB-2009-093 - Temporary Invitation - Cross Site Scripting

The Temporary Invitation module enables site users to invite guests for a limited timespan. For each invitation, a new user is created, together with a login code e.g. "EbN2F3" that the user can use to log in. The module fails to sanitize a value in Name field which is included in the invitation,...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2009/10/28 12:0 a.m.12 views

SA-CONTRIB-2009-084 - LDAP Integration - Multiple Vulnerabilities

The LDAP Integration module enables users to authenticate against LDAP servers. The module does not properly implement confirmation pages for the LDAP server activation/deactivation which could lead to a Cross Site Request Forgery CSRF attack. The user defined server name is not properly escaped ...

6.3AI score
Exploits0References12
Drupal
Drupal
added 2009/10/21 12:0 a.m.12 views

SA-CONTRIB-2009-076 - Flag Content Cross Site Scripting

The Flag Content module enables users to flag nodes and users for the attention of a site maintainer e.g. for abuse, spam, trolling, ...etc.. In some specific cases, the module does not sanitize before outputting the Reason field, resulting in a cross-site scripting XSS vulnerability. Such an...

5.9AI score
Exploits0References5
Drupal
Drupal
added 2009/09/30 12:0 a.m.12 views

SA-CONTRIB-2009-068 - Boost - Filesystem Directory Creation

The Boost module provides a static file-based cache of Drupal pages for anonymous users. A vulnerability in the module allows an attacker to create new directories inside the webroot that the web server can write to. Existing directories cannot be changed using this vulnerability, but it can be...

7AI score
Exploits0References5
Drupal
Drupal
added 2009/09/30 12:0 a.m.12 views

SA-CONTRIB-2009-067 Dex module - Cross Site Scripting, no longer maintained

The Dex: Contact Information Manager module enables contact information management with Google Maps and Yahoo Maps compatible geocoding. The module suffers from a Cross Site Scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access. This module is...

6.3AI score
Exploits0References3
Drupal
Drupal
added 2009/09/30 12:0 a.m.12 views

SA-CONTRIB-2009-064 - Bibliography module - Cross Site Scripting

The Bibliography module also known as Biblio allows users manage and display lists of scholarly publications. The Biblio module creates customized views in order to display these listings, and these listings contain text entered by users with the 'create biblio' permission. In some cases, the...

6AI score
Exploits0References6
Drupal
Drupal
added 2009/09/23 12:0 a.m.12 views

SA-CONTRIB-2009-062 - Devel - Cross Site Scripting

The Devel module contains many useful developer functions, such as a query log and the display of variables. When using the variable editor, the module does not properly sanitize the output of the variable name before display, leading to a cross-site scripting XSS vulnerability. Such an attack ma...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2009/09/09 12:0 a.m.12 views

SA-CONTRIB-2009-055 - BUEditor - Cross Site Scripting

The BUEditor module provides a plain textarea editor designed to facilitate code writing. The module suffers from a Cross Site Scripting XSS vulnerability, which allows an attacker to hijack the account of a logged in user by tricking them into visiting a seemingly innocent page using the Live...

6.4AI score
Exploits0References7
Drupal
Drupal
added 2009/07/29 12:0 a.m.12 views

SA-CONTRIB-2009-049 - Live - Privilege escalation, Impersonation

The Live module provides dynamic previews of content. When editing certain content nodes, the current user becomes logged in as the content's original author. Versions affected Live for Drupal 6.x prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Live module, there i...

7AI score
Exploits0References5
Drupal
Drupal
added 2009/07/01 12:0 a.m.12 views

SA-CONTRIB-2009-040 - Advanced Forum - Multiple vulnerabilities

Cross-site scripting The Advanced Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scriptin...

6.5AI score
Exploits0References5
Drupal
Drupal
added 2009/06/10 12:0 a.m.12 views

SA-CONTRIB-2009-038 - Nodequeue - Multiple vulnerabilities

The Nodequeue module enables an administrator to arbitrarily put nodes in a group for some purpose, such as providing a listing of nodes or featuring a particular node. It suffers from a cross-site scripting XSS vulnerability due to not properly sanitizing vocabulary names before they are...

5.4AI score
Exploits0References8
Drupal
Drupal
added 2009/03/18 12:0 a.m.12 views

SA-CONTRIB-2009-012 - Printer, e-mail and PDF versions - Unrestricted e-mailing (spam)

The "Send by e-mail" module, part of the "Printer, e-mail and PDF versions" project, allows users to send e-mail messages while viewing content on the site. This module was found to have multiple vulnerabilities. Unrestricted e-mailing spam Due to improper use of Drupal's flood control API, it is...

7.2AI score
Exploits0References4
Drupal
Drupal
added 2009/03/18 12:0 a.m.12 views

SA-CONTRIB-2009-011 Tasklist - SQL injection and Cross site scripting

Tasklist does not properly use the Drupal database API and inserts values from the URL directly into queries. This can be exploited to perform SQL Injection attacks. These attacks may lead to a malicious user gaining full administrator access. In addition, Tasklist allows users to add CSS to page...

7AI score
Exploits0References7
Drupal
Drupal
added 2009/01/14 12:0 a.m.12 views

SA-CONTRIB-2009-003 - Internationalizaion (i18n) Translation module - Access bypass

The third-party i18n module enables users to make a translation of an existing item of content a node. In that process the existing node's content is copied into the new node. The module contains a flaw that allows a user with the 'translate node' permission to potentially bypass normal viewing...

7AI score
Exploits0References5
Drupal
Drupal
added 2008/11/26 12:0 a.m.12 views

SA-2008-070 - Comment Mail - Cross site request forgery

The Comment Mail module allows an email to be sent to the site administrators when new comments are posted. Links in the email allow for quick approval, editing, deletion of the comment and/or banning of the poster's IP address. Unfortunately some links are vulnerable to cross site request...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2008/10/01 12:0 a.m.12 views

SA-2008-059 - Brilliant Gallery - SQL Injection and Cross Site Scripting

The Brilliant Gallery module allows users to publish photos in galleries. Two vulnerabilities were found in the module. SQL Injection Brilliant Gallery does not properly use the Drupal database API and inserts values from URLs directly into queries. This can be exploited to perform SQL Injection...

7.3AI score
Exploits0References5
Drupal
Drupal
added 2008/04/23 12:0 a.m.12 views

SA-2008-028 - Internationalization and Localizer - Cross site scripting

The Internationalization i18n and Localizer modules add multi-lingual capabilities to Drupal sites. They provide control over a site's user interface language, the ability to enter and control content in multiple languages, and can detect the browser language. Several values are displayed without...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2008/04/09 12:0 a.m.12 views

SA-2008-025 - Simple access - Access bypass

The Simple Access module is a node access module that allows administrators to make some nodes private and/or editable by certain user roles. The module contains a flaw that results in the privacy information for a node being lost under certain conditions. These conditions are usually triggered v...

6.8AI score
Exploits0References6
Drupal
Drupal
added 2008/03/12 12:0 a.m.12 views

SA-2008-020 - Ubercart - Cross site scripting

The attribute module allows customers to enter a text value as an attribute for a product, like a name to stitch into a hat. However, when these text values were displayed in the shopping cart or on order pages, there was a possibility for a malicious user to perform a cross site scripting attack...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2008/01/30 12:0 a.m.12 views

SA-2008-013 - Project issue tracking - Arbitrary file upload

The Project issue tracking module has a vulnerability where new issues are not properly validated. If the core Upload module is enabled on issue nodes the recommended configuration for the 5.x-2. series, this vulnerability can be used to attach malicious files to new issues, regardless of the...

6.5AI score
Exploits0References8
Drupal
Drupal
added 2008/01/23 12:0 a.m.12 views

SA-2008-10 - Archive - Cross site scripting

The Archive module provides a replacement for the archive functionality that was present in Drupal 4.7. Certain URL arguments are not escaped before display. It is therefore possible to inject arbitrary HTML and script code into certain archive pages, which may lead to administrator access if...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2008/01/10 12:0 a.m.12 views

SA-2008-001 - Devel - Cross site scripting

The devel module contains many useful developer functions, such as a query log and the display of variables. The contents of the variable table is not escaped prior to display. Should an unprivileged user be able to control the contents of a site variable, it would be possible to inject arbitrary...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2008/01/10 12:0 a.m.12 views

SA-2008-004 - Fileshare - Arbitrary code execution

The fileshare module is used to create nodes that allow browsing, uploading, downloading and deleting of files from a fileshare directory that is created by Drupal and linked to the node. Users who are able to create fileshare nodes are able to execute arbitrary code on the server. Versions...

7.7AI score
Exploits0References1
Drupal
Drupal
added 2007/09/27 12:0 a.m.12 views

SA-2007-021: Project issue tracking - XSS vulnerabilities in subscription forms.

The Project issue tracking module provides a subscription functionality enabling users to sign up for e-mail notification of issue updates. The subscriptions can be edited on both an individual or overview form. Users who have permissions to create or edit projects may be able to inject arbitrary...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2007/01/23 12:0 a.m.12 views

Project and Project issue tracking - Multiple vulnerabilities

Multiple vulnerabilities have been discovered and fixed in the Project and Project issue tracking modules: Access bypass in Project issue tracking Due to an error in the projectissueaccess function, users with the 'Access project issues' permission would have full access to all issues on a site,...

6.1AI score
Exploits0References12
Drupal
Drupal
added 2006/09/20 12:0 a.m.12 views

Search Keywords cross site scripting vulnerability

It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Drupal core is not affected. If you do not use the...

6.3AI score
Exploits0References4
Total number of security vulnerabilities1940