Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2025/08/27 12:0 a.m.11 views

Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100

This module enables you to to easily create and manage faceted search interfaces. The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...

6.1CVSS5AI score0.00181EPSS
Exploits0References5
Drupal
Drupal
added 2025/08/27 12:0 a.m.11 views

Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

This module enables you to protect individual pages with a password. The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks. This vulnerability is mitigated by the fact that an attacker must know the protected page's URL. CVSS risk score experimental...

6.5CVSS5.5AI score0.00351EPSS
Exploits0References4
Drupal
Drupal
added 2025/05/07 12:0 a.m.11 views

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods. This vulnerability is mitigated by the fact that an attacker must...

4.8CVSS5.7AI score0.00235EPSS
Exploits0References3
Drupal
Drupal
added 2025/04/09 12:0 a.m.11 views

WEB-T - Moderately critical - Access bypass, Denial of service - SA-CONTRIB-2025-030

This module enables you to translate nodes, configuration, UI strings automatically. The module doesn't sufficiently validate the incoming API response when using eTranslation integration, which has an asynchronous workflow. Specially crafted requests could overwrite entities and translations of...

6.5CVSS5.7AI score0.00419EPSS
Exploits0References2
Drupal
Drupal
added 2025/01/08 12:0 a.m.11 views

Profile Private - Critical - Unsupported - SA-CONTRIB-2025-002

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.3CVSS7.1AI score0.00427EPSS
Exploits0References6
Drupal
Drupal
added 2024/12/04 12:0 a.m.11 views

Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.6CVSS7.1AI score0.00361EPSS
Exploits0References3
Drupal
Drupal
added 2024/12/04 12:0 a.m.11 views

Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.6CVSS7.1AI score0.00361EPSS
Exploits0References3
Drupal
Drupal
added 2024/11/06 12:0 a.m.11 views

Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057

The module provides a possibility to restrict access to specific paths using basic HTTP authentication, in addition to standard Drupal access checks. In some cases, the module removes existing access checks from some paths, resulting in an access bypass vulnerability...

7.3CVSS7.1AI score0.00316EPSS
Exploits0References4
Drupal
Drupal
added 2024/10/23 12:0 a.m.11 views

Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051

This module enables you to animate an SVG graphic by selecting certain rows in a view. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files...

5.4CVSS7AI score0.00213EPSS
Exploits0References5
Drupal
Drupal
added 2024/10/09 12:0 a.m.11 views

wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

9.8CVSS7.1AI score0.00434EPSS
Exploits0References2
Drupal
Drupal
added 2024/09/04 12:0 a.m.11 views

Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038

Open Social is a Drupal distribution for online communities. The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not...

5.3CVSS7AI score0.00355EPSS
Exploits0References8
Drupal
Drupal
added 2024/08/21 12:0 a.m.11 views

Opigno - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-032

The Opigno module is related to Opigno LMS distribution. Opigno Scorm submodule exposes an API for extracting and handling SCORM packages. Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution RCE and/or Cross Site Scripting XS...

6.8CVSS7.5AI score0.00459EPSS
Exploits0References7
Drupal
Drupal
added 2023/08/23 12:0 a.m.11 views

SafeDelete - Moderately critical - Access bypass - SA-CONTRIB-2023-039

This module aims to prevent broken content references by informing content editors either on delete or archive moderation. The module provides an "orphaned content" report for broken references, which may reveal titles of unpublished content...

6.9AI score
Exploits0References8
Drupal
Drupal
added 2023/03/08 12:0 a.m.11 views

Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009

This module provides a new UI experience for node editing - Gutenberg editor. This vulnerability can cause DoS by using reusable blocks improperly. This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2022/07/27 12:0 a.m.11 views

Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051

This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance. The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2022/05/04 12:0 a.m.11 views

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

This module enables you to add URL fields to entity types with a variety of options. The module doesn't sufficiently filter output when token processing is disabled on an individual field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2020/08/05 12:0 a.m.11 views

Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-033

The Group module enables you to hand out permissions on a smaller subset, section or community of your website. Under very specific circumstances, where two group types support the same content, yet hand out different permissions, non-members of the first group type may use the set of permissions...

6.5AI score
Exploits0References3
Drupal
Drupal
added 2020/07/22 12:0 a.m.11 views

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams. The "Apigee Edge Teams" submodule has an information...

6.1AI score
Exploits0References6
Drupal
Drupal
added 2019/12/11 12:0 a.m.11 views

Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092

The Smart Trim module allows site builders additional control with text summary fields. The module doesn't sufficiently filter text when certain options are selected. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2019/11/13 12:0 a.m.11 views

Field Slideshow - Less critical - Cross site scripting - SA-CONTRIB-2019-082

This module enables you to output a field as a slideshow. The module doesn't sufficiently filter strings added to the fields leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have the ability to create content which is output as...

6AI score
Exploits0References8
Drupal
Drupal
added 2019/02/27 12:0 a.m.11 views

Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027

This module enables you to configure breadcrumbs for any Drupal page. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...

5.8AI score
Exploits0References6
Drupal
Drupal
added 2019/02/27 12:0 a.m.11 views

Services - Critical - SQL Injection - SA-CONTRIB-2019-026

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks. This vulnerability is mitigated by the fact that the Drupal 7...

7.5AI score
Exploits0References4
Drupal
Drupal
added 2019/02/20 12:0 a.m.11 views

Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2019/01/09 12:0 a.m.11 views

Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Provision module is a core piece of the Aegir platform. This module doesn't...

6.7AI score
Exploits0References10
Drupal
Drupal
added 2018/07/11 12:0 a.m.11 views

Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046

Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen. The module doesn't sufficiently sanitize the output of the status names. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.5AI score
Exploits0References5
Drupal
Drupal
added 2018/07/04 12:0 a.m.11 views

Universally Unique IDentifier - Moderately critical - Arbitrary file upload - SA-CONTRIB-2018-045

This module provides an API for adding universally unique identifiers UUID to Drupal objects, most notably entities. The module module has an arbitrary file upload vulnerability when it's used in combination with the services REST server. This vulnerability is mitigated by the fact that an attack...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2018/04/25 12:0 a.m.11 views

D7 Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site. The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution RCE attack...

7.8AI score
Exploits0References2
Drupal
Drupal
added 2017/12/20 12:0 a.m.11 views

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings...

7.6AI score
Exploits0References5
Drupal
Drupal
added 2017/12/06 12:0 a.m.11 views

Feedback Collect - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-090

This module enables you to add feedback forms and gather end user feedback, bug reports or any kind of suggestions. The module doesn't sufficiently filter output of its own fields under the scenario of creating or editing feedback-collect content types. This vulnerability is mitigated by the fact...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2017/09/20 12:0 a.m.11 views

Page Access - Unsupported - SA-CONTRIB-2017-75

This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2017/09/13 12:0 a.m.11 views

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently confirm a user's intent to take unflagging actions. CVE...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/05/17 12:0 a.m.11 views

Display Suite - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-049

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

6.3AI score
Exploits0References12
Drupal
Drupal
added 2017/03/22 12:0 a.m.11 views

Office Hours - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-032

This module enables you to show the office hours of a location to the public. The module doesn't sufficiently filter user input for malicious Cross Site Scripting xss. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to add fields to an entity. CVE...

6.6AI score
Exploits0References12
Drupal
Drupal
added 2017/03/01 12:0 a.m.11 views

Location Map - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-026

This module enables you to display one simple location map via Google Maps. The module doesn't sufficiently sanitize user input in the configuration text fields of the module allows any tags and does not respect text format configuration. This vulnerability is mitigated by the fact that an attack...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2017/02/15 12:0 a.m.11 views

Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks. The module doesn't sufficiently protect against data being cached that might contain information related to a specific user...

6.6AI score
Exploits0References13
Drupal
Drupal
added 2017/02/08 12:0 a.m.11 views

Facebook Pull - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-011

This module enables you to add integration with Facebook API. The module doesn't sufficiently sanitize incoming data from Facebook. This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and...

7.2AI score
Exploits0References14
Drupal
Drupal
added 2017/01/25 12:0 a.m.11 views

Microblog - Critical - Unsupported - SA-CONTRIB-2017-007

This module enables microblogging on Drupal sites using it. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All versions Drupal core is not affected. If you do not use the contributed microblog...

7.2AI score
Exploits0References9
Drupal
Drupal
added 2016/10/26 12:0 a.m.11 views

Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054

This module enables you to run NCBI BLAST jobs on the host system. The module doesn't sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run. This...

7.2AI score
Exploits0References12
Drupal
Drupal
added 2016/08/17 12:0 a.m.11 views

Panels - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-047

Panels does not check access on some routes Critical Panels allows users with certain permissions to modify the layout and panel panes on pages or entities utilizing panels. Much of the functionality to modify these panels rely on backend routes that call administrative forms. These forms did not...

6.8AI score
Exploits0References16
Drupal
Drupal
added 2016/06/08 12:0 a.m.11 views

Outline Designer - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-035

This module enables you to mass administer book outlines and perform common operations through one interface, improving the usability for the book module. The module doesn't sufficiently sanitize titles when presenting them on this interface. This vulnerability is mitigated by the fact that an...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/05/04 12:0 a.m.11 views

Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025

This module enables you to create fieldable entities that have special integration with Panels. The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor IPE, allowing for specially crafted XSS attack...

6.1AI score
Exploits0References12
Drupal
Drupal
added 2016/04/06 12:0 a.m.11 views

HybridAuth - Less critical - Multiple vulnerabilities - SA-CONTRIB-2016-018

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. Open redirect The module doesn't verify the "destination" redirect after a login to be a non-external URL causing an ope...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2016/02/24 12:0 a.m.11 views

FileField - Denial of Service - SA-CONTRIB-2016-008

FileField module allows users to upload files in conjunction with the Content Construction Kit CCK module in Drupal 6. The module doesn't validate that a request to delete a temporary file was made by the user who uploaded the file. An attacker can use this vulnerability to delete other user's fi...

7AI score
Exploits0References11
Drupal
Drupal
added 2015/10/14 12:0 a.m.11 views

Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157

This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages. The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended. This...

6.9AI score
Exploits0References13
Drupal
Drupal
added 2014/10/08 12:0 a.m.11 views

SA-CONTRIB-2014-097 - nodeaccess - Access Bypass

Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. This module enables you to inadvertently allow an author of a node view/edit/delete the node in question who may not have access. The module over-eagerly grants read/write/delete access to all autho...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2014/09/24 12:0 a.m.11 views

SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)

The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have...

6.9AI score
Exploits0References15
Drupal
Drupal
added 2014/09/17 12:0 a.m.11 views

SA-CONTRIB-2014-090 - Speech recognition - Multiple vulnerabilities

This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface. Cross Site Scripting XSS The module incorrectly prints fields without proper sanitization thereby opening a Cross Site...

6.3AI score
Exploits0References11
Drupal
Drupal
added 2014/06/18 12:0 a.m.11 views

SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords. Access bypass and information disclosure 7.x only The module has a history constraint, which when enabled, disallows a user's password from being changed to match a...

6.8AI score
Exploits0References14
Drupal
Drupal
added 2014/04/30 12:0 a.m.11 views

SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass

This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module. The module doesn't sufficiently verify the user has access to modify the entity the field is...

6.1AI score
Exploits0References13
Drupal
Drupal
added 2014/04/09 12:0 a.m.11 views

SA-CONTRIB-2014-040 - Skeleton theme - Cross Site Scripting

The Skeleton theme is a responsive Drupal theme, built upon the Skeleton Boilerplate. The Skeleton theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

7.1AI score
Exploits0References11
Total number of security vulnerabilities1940