1940 matches found
Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100
This module enables you to to easily create and manage faceted search interfaces. The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...
Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101
This module enables you to protect individual pages with a password. The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks. This vulnerability is mitigated by the fact that an attacker must know the protected page's URL. CVSS risk score experimental...
Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052
The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods. This vulnerability is mitigated by the fact that an attacker must...
WEB-T - Moderately critical - Access bypass, Denial of service - SA-CONTRIB-2025-030
This module enables you to translate nodes, configuration, UI strings automatically. The module doesn't sufficiently validate the incoming API response when using eTranslation integration, which has an asynchronous workflow. Specially crafted requests could overwrite entities and translations of...
Profile Private - Critical - Unsupported - SA-CONTRIB-2025-002
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057
The module provides a possibility to restrict access to specific paths using basic HTTP authentication, in addition to standard Drupal access checks. In some cases, the module removes existing access checks from some paths, resulting in an access bypass vulnerability...
Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051
This module enables you to animate an SVG graphic by selecting certain rows in a view. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files...
wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038
Open Social is a Drupal distribution for online communities. The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not...
Opigno - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-032
The Opigno module is related to Opigno LMS distribution. Opigno Scorm submodule exposes an API for extracting and handling SCORM packages. Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution RCE and/or Cross Site Scripting XS...
SafeDelete - Moderately critical - Access bypass - SA-CONTRIB-2023-039
This module aims to prevent broken content references by informing content editors either on delete or archive moderation. The module provides an "orphaned content" report for broken references, which may reveal titles of unpublished content...
Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009
This module provides a new UI experience for node editing - Gutenberg editor. This vulnerability can cause DoS by using reusable blocks improperly. This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it...
Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051
This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance. The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit...
Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034
This module enables you to add URL fields to entity types with a variety of options. The module doesn't sufficiently filter output when token processing is disabled on an individual field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...
Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-033
The Group module enables you to hand out permissions on a smaller subset, section or community of your website. Under very specific circumstances, where two group types support the same content, yet hand out different permissions, non-members of the first group type may use the set of permissions...
Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2020-028
The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. It contains an "Apigee Edge Teams" submodule that provides shared app functionality by allowing developers to be organized into teams. The "Apigee Edge Teams" submodule has an information...
Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092
The Smart Trim module allows site builders additional control with text summary fields. The module doesn't sufficiently filter text when certain options are selected. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when...
Field Slideshow - Less critical - Cross site scripting - SA-CONTRIB-2019-082
This module enables you to output a field as a slideshow. The module doesn't sufficiently filter strings added to the fields leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have the ability to create content which is output as...
Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027
This module enables you to configure breadcrumbs for any Drupal page. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...
Services - Critical - SQL Injection - SA-CONTRIB-2019-026
This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks. This vulnerability is mitigated by the fact that the Drupal 7...
Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002
Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Provision module is a core piece of the Aegir platform. This module doesn't...
Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046
Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen. The module doesn't sufficiently sanitize the output of the status names. This vulnerability is mitigated by the fact that an attacker must have a role with the...
Universally Unique IDentifier - Moderately critical - Arbitrary file upload - SA-CONTRIB-2018-045
This module provides an API for adding universally unique identifiers UUID to Drupal objects, most notably entities. The module module has an arbitrary file upload vulnerability when it's used in combination with the services REST server. This vulnerability is mitigated by the fact that an attack...
D7 Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020
The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site. The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution RCE attack...
me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097
'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings...
Feedback Collect - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-090
This module enables you to add feedback forms and gather end user feedback, bug reports or any kind of suggestions. The module doesn't sufficiently filter output of its own fields under the scenario of creating or editing feedback-collect content types. This vulnerability is mitigated by the fact...
Page Access - Unsupported - SA-CONTRIB-2017-75
This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...
Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074
The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently confirm a user's intent to take unflagging actions. CVE...
Display Suite - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-049
Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...
Office Hours - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-032
This module enables you to show the office hours of a location to the public. The module doesn't sufficiently filter user input for malicious Cross Site Scripting xss. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to add fields to an entity. CVE...
Location Map - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-026
This module enables you to display one simple location map via Google Maps. The module doesn't sufficiently sanitize user input in the configuration text fields of the module allows any tags and does not respect text format configuration. This vulnerability is mitigated by the fact that an attack...
Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019
This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks. The module doesn't sufficiently protect against data being cached that might contain information related to a specific user...
Facebook Pull - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-011
This module enables you to add integration with Facebook API. The module doesn't sufficiently sanitize incoming data from Facebook. This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and...
Microblog - Critical - Unsupported - SA-CONTRIB-2017-007
This module enables microblogging on Drupal sites using it. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All versions Drupal core is not affected. If you do not use the contributed microblog...
Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054
This module enables you to run NCBI BLAST jobs on the host system. The module doesn't sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run. This...
Panels - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-047
Panels does not check access on some routes Critical Panels allows users with certain permissions to modify the layout and panel panes on pages or entities utilizing panels. Much of the functionality to modify these panels rely on backend routes that call administrative forms. These forms did not...
Outline Designer - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-035
This module enables you to mass administer book outlines and perform common operations through one interface, improving the usability for the book module. The module doesn't sufficiently sanitize titles when presenting them on this interface. This vulnerability is mitigated by the fact that an...
Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025
This module enables you to create fieldable entities that have special integration with Panels. The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor IPE, allowing for specially crafted XSS attack...
HybridAuth - Less critical - Multiple vulnerabilities - SA-CONTRIB-2016-018
The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. Open redirect The module doesn't verify the "destination" redirect after a login to be a non-external URL causing an ope...
FileField - Denial of Service - SA-CONTRIB-2016-008
FileField module allows users to upload files in conjunction with the Content Construction Kit CCK module in Drupal 6. The module doesn't validate that a request to delete a temporary file was made by the user who uploaded the file. An attacker can use this vulnerability to delete other user's fi...
Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157
This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages. The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended. This...
SA-CONTRIB-2014-097 - nodeaccess - Access Bypass
Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. This module enables you to inadvertently allow an author of a node view/edit/delete the node in question who may not have access. The module over-eagerly grants read/write/delete access to all autho...
SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)
The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have...
SA-CONTRIB-2014-090 - Speech recognition - Multiple vulnerabilities
This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface. Cross Site Scripting XSS The module incorrectly prints fields without proper sanitization thereby opening a Cross Site...
SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities
The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords. Access bypass and information disclosure 7.x only The module has a history constraint, which when enabled, disallows a user's password from being changed to match a...
SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass
This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module. The module doesn't sufficiently verify the user has access to modify the entity the field is...
SA-CONTRIB-2014-040 - Skeleton theme - Cross Site Scripting
The Skeleton theme is a responsive Drupal theme, built upon the Skeleton Boilerplate. The Skeleton theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...