Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2011/08/31 12:0 a.m.11 views

SA-CONTRIB-2011-038 - Taxonomy Views Integrator - Cross Site Scripting

This module enables you to override whole vocabularies or individual terms with the View of your choice. The module did not filter user entered term descriptions for Cross Site Scripting XSS injections. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.2AI score
Exploits0References10
Drupal
Drupal
added 2011/06/08 12:0 a.m.11 views

SA-CONTRIB-2011-022 - Cosign - SQL Injection

Under certain conditions the module deletes uid 1 and then does an unparameterized dbquery to insert a new uid 1. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer site configuration" and must be able to remotely manipulate the web serve...

6.8AI score
Exploits0References8
Drupal
Drupal
added 2011/06/08 12:0 a.m.11 views

SA-CONTRIB-2011-023 - Prepopulate - Multiple vulnerabilities

The Prepopulate module enables pre-populating forms in Drupal using the $REQUEST vairable. The module does not adequately validate user input leading to an cross-site scripting XSS possibility in certain circumstances. Users privileged to use forms with certain form fields can insert arbitrary HT...

5.8AI score
Exploits0References11
Drupal
Drupal
added 2011/02/16 12:0 a.m.11 views

SA-CONTRIB-2011-010 - Messaging - Cross Site Scripting

The Messaging module is a Framework to allow message sending in a channel independent way. It provides a common API for message composition and sending while allowing plug-ins for multiple messaging methods. The module does not sanitize some of the user-supplied data before displaying it, leading...

6.1AI score
Exploits0References9
Drupal
Drupal
added 2011/02/02 12:0 a.m.11 views

SA-CONTRIB-2011-006 - Flag Page - Cross Site Scripting (XSS)

The contributed flag page module provides an additional flag type to allow you to flag pages so you can bookmark any URL on your site including views, panels, administration pages or site contact page. The module does not sanitize the flag titles when displayed in blocks, leading to a Cross-Site...

5.9AI score
Exploits0References10
Drupal
Drupal
added 2010/12/15 12:0 a.m.11 views

SA-CONTRIB-2010-111 - Views - Cross Site Scripting

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Under certain circumstances, Views could display parts of the page path without escaping, resulting in a relected Cross Site Scripting XSS vulnerability. An attacker cou...

6.2AI score
Exploits0References7
Drupal
Drupal
added 2010/09/15 12:0 a.m.11 views

SA-CONTRIB-2010-093 - Advanced Taxonomy Blocks - Multiple Vulnerabilities

Advanced Taxonomy Blocks makes use of the JQuery menu module to create extremely customizable blocks for browsing through single hierarchy taxonomies. The module contained Cross Site Scripting vulnerabilities which could allow a malicious user with one of several non-default permissions to inject...

7AI score
Exploits0References6
Drupal
Drupal
added 2010/07/07 12:0 a.m.11 views

SA-CONTRIB-2010-072: Hierarchical Select - Cross Site Scripting

The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that...

6.1AI score
Exploits0References8
Drupal
Drupal
added 2010/07/07 12:0 a.m.11 views

SA-CONTRIB-2010-071 - MultiSafepay Integration - Cross Site Request Forgery

The MultiSafepay Integration module provides integration between the Ubercart e-commerce solution and the MultiSafepay payment system. The module is vulnerable to Cross Site Request Forgeries CSRF which would allow a malicious user to alter the status of orders or to trick other users into alteri...

7.3AI score
Exploits0References7
Drupal
Drupal
added 2010/05/05 12:0 a.m.11 views

SA-CONTRIB-2010-040: FileField - Access Bypass

FileField provides a file upload field for CCK, allowing files to be attached to a node. FileField intends to set a default extension of "txt" for all new fields, but may actually save an empty string allowing all extensions if an administrator does not save the field configuration page after...

7.3AI score
Exploits0References5
Drupal
Drupal
added 2010/05/05 12:0 a.m.11 views

SA-CONTRIB-2010-039: CCK TableField - Cross Site Scripting

The CCK TableField module provides a generic method to attach tabular data to a node. CCK TableField does not sanitize table headers before output, allowing anyone with permissions to create or edit a node containing one or more TableField fields to insert arbitrary HTML and script code. Such a...

6AI score
Exploits0References8
Drupal
Drupal
added 2010/03/17 12:0 a.m.12 views

SA-CONTRIB-2010-029: Keys - Cross-site Request Forgery

The Keys module provides management of various API keys. The module is vulnerable to cross-site request forgeries CSRF via the keys delete form. This would allow a malicious user to trick an admin with the "administer keys" permission into deleting keys by directing them to the url via link or...

7.1AI score
Exploits0References6
Drupal
Drupal
added 2010/02/03 12:0 a.m.11 views

SA-CONTRIB-2010-014 - Node Export - Arbitrary code execution

The Node export module allows users to export and import nodes. Node export does not warn administrators that users with the "access administration pages" permission together with the "import nodes" permission can execute arbitrary PHP statements during the import operation. Versions affected Nod...

7.7AI score
Exploits0References6
Drupal
Drupal
added 2010/01/20 12:0 a.m.11 views

SA-CONTRIB-2010-008 - Recent Comments - Cross Site Scripting

Recent Comments module provides a high-performance, fully themable block of recent comments. This release includes a fix for a cross-site scripting XSS vulnerability in which JavaScript could be inserted in the title of the Recent Comments block via a custom block title interface. This custom tit...

5.9AI score
Exploits0References7
Drupal
Drupal
added 2009/12/23 12:0 a.m.11 views

SA-CONTRIB-2009-113 - FAQ - Cross Site Scripting

The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before displaying it, leading t...

6.2AI score
Exploits0References6
Drupal
Drupal
added 2009/11/18 12:0 a.m.11 views

SA-CONTRIB-2009-108 - Gallery Assist - Cross Site Scripting

The Gallery Assist module provides a simple way to create image galleries on a site. The module does not sanitize node titles, leading to a Cross Site Scripting XSS vulnerability. Versions affected Gallery Assist module for Drupal 6.x prior to Gallery Assist 6.x-1.7 Drupal core is not affected. I...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2009/11/18 12:0 a.m.11 views

SA-CONTRIB-2009-103 - Strongarm - Cross Site Scripting

The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values. When using the settings page to see overridden...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2009/11/11 12:0 a.m.11 views

SA-CONTRIB-2009-101 - Web Services - Access Bypass

The Web Services module provides an API for other sites to communicate with a Drupal site, enabling the publishing of content, change of user information, or simply integration of a Flash application. The module fails to implement proper access checks, leading to an Access Bypass vulnerability...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2009/11/11 12:0 a.m.11 views

SA-CONTRIB-2009-100 - AddToAny - Cross Site Scripting

AddToAny module provides a share button for AddToAny service for social networks. The module fails to sanitize a value in node title, leading to a Cross Site Scripting XSS vulnerability. Versions affected AddToAny module for Drupal 6.x prior to AddToAny 6.x-2.4 AddToAny module for Drupal 5.x prio...

6.3AI score
Exploits0References7
Drupal
Drupal
added 2009/11/11 12:0 a.m.11 views

SA-CONTRIB-2009-099 - RootCandy Theme - Cross Site Scripting

RootCandy is a theme specifically designed for use in the administration section. The theme fails to sanitize a URL value, leading to a Cross Site Scripting XSS vulnerability. Versions affected RootCandy theme for Drupal 6.x prior to RootCandy 6.x-1.5 Drupal core is not affected. If you do not us...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2009/10/21 12:0 a.m.11 views

SA-CONTRIB-2009-078 - Moodle Course List - SQL Injection

The Moodle Course List module provides a block which displays links to a user's Moodle courses. In some cases the module does not properly sanitize user input, leading to a SQL Injection SQL Injection vulnerability. Such an attack may lead to a malicious user gaining full administrative access...

8.3AI score
Exploits0References6
Drupal
Drupal
added 2009/10/21 12:0 a.m.11 views

SA-CONTRIB-2009-079 - vCard - Cross Site Scripting

The vCard module adds a vCard download link to every user's profile. This link makes it easy to add users from a Drupal site to a local address book. When the themevcard function is added to a theme and default content from the vCard module is output, the site will be vulnerable to Cross Site...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2009/09/30 12:0 a.m.11 views

SA-CONTRIB-2009-064 - Bibliography module - Cross Site Scripting

The Bibliography module also known as Biblio allows users manage and display lists of scholarly publications. The Biblio module creates customized views in order to display these listings, and these listings contain text entered by users with the 'create biblio' permission. In some cases, the...

6AI score
Exploits0References6
Drupal
Drupal
added 2009/09/30 12:0 a.m.11 views

SA-CONTRIB-2009-065 - Browscap - Cross Site Scripting

The Browscap module provides a way to identify the visitors to your site based on the user agent in their browser. It can also record these user agent strings and provide reports about them. When displaying reports about visitors, the module does not properly sanitize the user agent strings befor...

6AI score
Exploits0References9
Drupal
Drupal
added 2009/09/23 12:0 a.m.11 views

SA-CONTRIB-2009-061 - Markdown Preview - Cross Site Scripting

The Markdown Preview module provides a live preview pane that displays the rendered HTML output of your Markdown input. When displaying the live preview, the module does not properly escape user entered data, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a...

6.2AI score
Exploits0References8
Drupal
Drupal
added 2009/06/10 12:0 a.m.11 views

SA-CONTRIB-2009-038 - Nodequeue - Multiple vulnerabilities

The Nodequeue module enables an administrator to arbitrarily put nodes in a group for some purpose, such as providing a listing of nodes or featuring a particular node. It suffers from a cross-site scripting XSS vulnerability due to not properly sanitizing vocabulary names before they are...

5.4AI score
Exploits0References8
Drupal
Drupal
added 2009/05/13 12:0 a.m.11 views

SA-CONTRIB-2009-028 - Feed Block - Cross Site Scripting

The Feed Block module creates a block with one externalsyndicated article for each feed source from selected feed category. Feed block doesn't properly escapes aggregator items allowing users with administer news feeds permission to inject arbitrary code into the site. Such a cross site scripting...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2009/04/15 12:0 a.m.11 views

SA-CONTRIB-2009-021 CCK comment reference - Cross site scripting

CCK comment reference project, lets administrators define node fields that are references to comments. When displaying a node edit form, the titles of candidate referenced comments are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2009/03/18 12:0 a.m.11 views

SA-CONTRIB-2009-011 Tasklist - SQL injection and Cross site scripting

Tasklist does not properly use the Drupal database API and inserts values from the URL directly into queries. This can be exploited to perform SQL Injection attacks. These attacks may lead to a malicious user gaining full administrator access. In addition, Tasklist allows users to add CSS to page...

7AI score
Exploits0References7
Drupal
Drupal
added 2008/11/26 12:0 a.m.11 views

SA-2008-071 - User Karma - Multiple vulnerabilities

The User Karma module displays and manages karma points of users. How karma points are calculated is defined by other modules which hook into the User Karma module. Unfortunately the User Karma module allows administrators to enter a list of content types and voting API values which are then used...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2008/10/08 12:0 a.m.11 views

SA-2008-062 - SIOC - access bypass

The SIOC Semantically-Interconnected Online Communities project is an open specification for describing communities using online discussion forums or blogs, the module allows Drupal sites to attach metadata to users, posts, comments etc. in line with this specification. The module doesn't impleme...

7.1AI score
Exploits0References6
Drupal
Drupal
added 2008/10/08 12:0 a.m.11 views

SA-2008-063 - multiple third party modules - Access bypass due to incorrect Drupal 6 updates

Several contributed modules were incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls are likely to be by-passed by unprivileged users. In some cases, this includes access to the administrative functions of these modules, or access to content the user...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2008/10/01 12:0 a.m.11 views

SA-2008-059 - Brilliant Gallery - SQL Injection and Cross Site Scripting

The Brilliant Gallery module allows users to publish photos in galleries. Two vulnerabilities were found in the module. SQL Injection Brilliant Gallery does not properly use the Drupal database API and inserts values from URLs directly into queries. This can be exploited to perform SQL Injection...

7.3AI score
Exploits0References5
Drupal
Drupal
added 2008/09/24 12:0 a.m.11 views

SA-2008-055 - Stock - Cross site scripting

The stock module provides the ability to query price quotes and trading volumes from various stock markets. An oversight in the menu permissions code allows any user to change the text of the heading at the top of the stock quotes page. As this text is not escaped, it is safe only for an...

6AI score
Exploits0References5
Drupal
Drupal
added 2008/09/24 12:0 a.m.11 views

SA-2008-056 - Simplenews - Cross site scripting

Simplenews publishes and sends newsletters to lists of subscribers. Newsletter categories are not always properly escaped. This allows users with the "administer taxonomy" permission to add arbitrary HTML and script code to the site. Wikipedia has more information about such cross site scripting...

5.9AI score
Exploits0References6
Drupal
Drupal
added 2008/09/17 12:0 a.m.11 views

SA-2008-049 - Talk - Multiple vulnerabilities

The Talk module for Drupal 5.x and 6.x creates a "Talk" tab for nodes in which the comments belonging to the node are displayed. Two vulnerabilities and weaknesses were discovered in the contributed Talk module. Cross site scripting The node title is treated as if it was safe text, and is not...

6AI score
Exploits0References6
Drupal
Drupal
added 2008/07/02 12:0 a.m.11 views

SA-2008-041 - Taxonomy autotagger - Multiple vulnerabilities

The Taxonomy Autotagger will automatically tag a post with terms from a vocabulary if the terms are found in the content of the post. The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with th...

7.5AI score
Exploits0References7
Drupal
Drupal
added 2008/07/02 12:0 a.m.11 views

SA-2008-042 - Tinytax - Cross site scripting

The Tinytax taxonomy block displays a vocabulary as a tree within a block. The module displays certain values without appropriate filtering. Malicious users with the permission to create taxonomy terms are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cro...

6.1AI score
Exploits0References5
Drupal
Drupal
added 2008/07/02 12:0 a.m.11 views

SA-2008-043 - Outline designer - Privilege escalation

The Outline designer module provides a visual way of structuring content in books. A programming error in the module causes the current user to become authenticated as the author of the viewed content item. Versions affected Outline designer for Drupal 5.x prior to 5.x-1.4. Drupal core is not...

6.8AI score
Exploits0References3
Drupal
Drupal
added 2008/06/11 12:0 a.m.11 views

SA-2008-034 - Node Hierarchy - Access bypass

The contributed module Node Hierarchy allows nodes to be children of other nodes creating a tree-like hierarchy of content. Due to incorrectly implemented access checks, any user with the "access content" permission is able to rearrange the hierarchy. No private data is exposed, and no content ca...

6.9AI score
Exploits0References5
Drupal
Drupal
added 2008/04/02 12:0 a.m.11 views

SA-2008-023 - Ubercart - Cross site scripting

During checkout in Ubercart enabled stores, customers have text fields in which to enter their address and order information. Some stores will have modules enabled that restrict what sort of values are accepted in these fields, but this is not the case for everyone. This provides an opportunity f...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2008/04/02 12:0 a.m.11 views

SA-2008-022 - Flickr - Cross site scripting

The Flickr module allows one to access photos on one's site via the Flickr API. The module provides a filter for inserting photos and photosets and blocks for a user's recent photos and photosets. Several values are displayed without being escaped, which enables users to inject arbitrary HTML and...

7AI score
Exploits0References5
Drupal
Drupal
added 2008/01/30 12:0 a.m.11 views

SA-2008-016 - OpenID - Incorrect claimed_id returned for OpenID 2.0

The OpenID module has a vulnerability which allows OpenID version 2.0 positive assertions that are not properly verified to return an invalid or impersonated claimedid. To exploit this vulnerability an attacker could set up an OpenID provider, example1.com, that claimed to be the authority for...

6.9AI score
Exploits0References5
Drupal
Drupal
added 2008/01/30 12:0 a.m.11 views

SA-2008-014 - Userpoints - Cross site request forgery

Userpoints is a system for keeping track of points earned on a site. It can be used to reward users for contributions to a community and also for ecommerce transactions. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicious site can cause a user to...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2007/12/05 12:0 a.m.11 views

SA-2007-032 - Shoutbox - Cross site scripting

Message sent from the Shoutbox block, where visitors can quickly post short messages, are not properly sanitized in a number of cases. This allows malicious users to inject arbitrary HTML and script code into the block. Learn more about cross site scripting on Wikipedia. Versions affected Shoutbo...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2007/12/05 12:0 a.m.11 views

SA-2007-033 - Feature - CSRF

Feature is a contributed module that lets you organize and maintain a feature list by category. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The feature deletio...

6.6AI score
Exploits0References4
Drupal
Drupal
added 2007/03/08 12:0 a.m.11 views

Project issue tracking - Access bypass

If a remote user knows the node identifier of an issue that has been marked private using a node access module simpleaccess, nodeprivacybyrole, etc, they can use a specially crafted URL to view the contents of the node, regardless of their own privileges. All that is required is the "access proje...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2007/02/15 12:0 a.m.11 views

Image pager - Cross site scripting

The Image Pager module uses JavaScript to collect selected images from a page and display them one at a time in a block with previous/next pager links. HTML entities are decoded by the DOM functions used by Image Pager before being reinserted into the web page for display. As a result, a maliciou...

5.9AI score
Exploits0References5
Drupal
Drupal
added 2006/12/11 12:0 a.m.11 views

Help Tip - Multiple vulnerabilities

The contributed module Help Tip bypasses Drupal's database API and uses user-supplied data unescaped in queries, allowing malicious users to execute SQL injection attacks. These attacks may lead to administrator access. Node titles are not properly sanitised before being used in block titles. Thi...

7.6AI score
Exploits0References4
Drupal
Drupal
added 2026/06/17 12:0 a.m.10 views

Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048

The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis. formatterfield stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can...

5.9AI score0.00173EPSS
Exploits0References2
Total number of security vulnerabilities1940