Sagepay - Critical - Access Bypass - SA-CONTRIB-2018-005

This module integrates the Sagepay payment service. Some of the URLs used while processing the payment are not sufficiently secured. This might allow attackers to resume a previously failed payment attempt or to view content that should only be shown after a succesful payment. This affects all...

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings...

Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks. The module doesn't sufficiently protect against data being cached that might contain information related to a specific user...

Facebook Pull - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-011

This module enables you to add integration with Facebook API. The module doesn't sufficiently sanitize incoming data from Facebook. This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and...

Menu Views - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-055

This module enables users to create menu items that render views instead of links. This is useful for creating "mega-menus". The module doesn't sufficiently filter title and breadcrumb fields for possible cross-site scripting. This vulnerability is mitigated by the fact that an attacker must have...

Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054

This module enables you to run NCBI BLAST jobs on the host system. The module doesn't sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run. This...

Hosting - Less Critical - Access bypass - SA-CONTRIB-2016-046

The Hosting module is a core component of the Aegir Hosting System. This install profile, and accompanying suite of modules, is a hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites. The Hosting module does not sufficiently control access to any cust...

Open Atrium Notifications - Less Critical - Information Disclosure - SA-CONTRIB-2016-026

Open Atrium is a distribution of Drupal that allows you to build collaborative web sites. The Open Atrium Notification module adds the ability to send email notifications to users subscribed to certain content. When combined with the Open Atrium Mailhandler app, incoming email replies to...

Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022

This module enables you to build searches using a wide range of features, data sources and backends. Search index not updated by node access changes The module doesn't sufficiently re-index nodes when using the "Node access" or "Access check" data alterations and non-standard ways of changing nod...

HybridAuth - Less critical - Multiple vulnerabilities - SA-CONTRIB-2016-018

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. Open redirect The module doesn't verify the "destination" redirect after a login to be a non-external URL causing an ope...

Login one time - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-017

The Login one time module provides the ability to email one-time login links to users. The module doesn't sufficiently sanitize user input supplied to an ajax callback function. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security...

Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157

This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages. The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended. This...

SA-CONTRIB-2015-073 - Trick Question - Cross Site Scripting (XSS)

The Trick Question is a CAPTCHA-type spam prevention module; a lightweight, compact and simple alternative to larger and more complex modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is...

SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)

The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have...

SA-CONTRIB-2014-090 - Speech recognition - Multiple vulnerabilities

This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface. Cross Site Scripting XSS The module incorrectly prints fields without proper sanitization thereby opening a Cross Site...

SA-CONTRIB-2014-089 - Geofield Yandex Maps - Cross Site Scripting (XSS)

The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site. The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting XSS vulnerability. The...

SA-CONTRIB-2014-060- Petitions - Cross Site Request Forgery (CSRF)

This distribution enables you to build an application that lets users create and sign petitions. The contained whpetitions module doesn't sufficiently verify the intent of the user when signing a petition. A malicious user could trick another user into signing a petition they did not intend to si...

SA-CONTRIB-2014-028 - Masquerade - Access bypass

This module allows a user with the right permissions to switch users. When a user has been limited to only masquerading as certain users via the "Enter the users this user is able to masquerade as" user profile field, they can still masquerade as any user on the site by using the "Enter the...

SA-CONTRIB-2014-014 - Webform Validation - Cross Site Scripting (XSS)

The Webform Validation module enables you to add additional form validation rules to Webforms created by the Webform module. The module doesn't sufficiently filter component name text before display, opening up the possibility of cross site scripting. This vulnerability is mitigated by the fact...

SA-CONTRIB-2014-010 - Services - Access Bypass and Privilege Escalation

The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. User update access bypass vulnerability An authenticated user is able to assign additional roles to themselves, which means they can escalate their privileges by assigning an...

SA-CONTRIB-2012-131 - Email Field - Access Bypass

The email module provides a field type CCK / FieldAPI for storing email addresses. Furthermore, it provides a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail...

SA-CONTRIB-2012-127 - Custom Publishing Options - Cross Site Scripting (XSS) Vulnerability

The Custom Publishing Options module allows you to create custom publishing options for nodes. It allows you to add to the default options of Publish, Promote to Front Page, and Sticky. It also ingrates with views to allow you add as a field, sort and filter by, your custom options. The module...

SA-CONTRIB-2012-125 - Chaos tool suite (ctools) - Local File Inclusion and Cross Site Scripting (XSS)

The Chaos tool suite is primarily a set of APIs and tools to improve the developer experience. The module doesn't sufficiently validate css import statements to confirm they only include css content appropriate to show to end users. This could allow a malicious user to add sensitive content from...

SA-CONTRIB-2012-119 - Excluded Users - Cross Site Scripting (XSS)

Excluded Users is a helper module which allows administrators to select users to not appear in user listings. The module displays a list of user names and email addresses without sanitizing them. In the event that someone manages to insert malicious code into a user name or email address, this...

SA-CONTRIB-2012-120 - Monthly Archive by Node Type - Access Bypass (unsupported)

This module generates a monthly archive and block for specified node types, as well as an archive and block for whichever collection of node types you specify. The module doesn't sufficiently ensure node access for sites that use a node access system. This vulnerability is mitigated by the fact...

SA-CONTRIB-2012-088 - Mobile Tools - Cross Site Scripting (XSS)

Mobile Tools provides Drupal developers with some tools to assist in making a site mobile. The module contains several persistent cross site scripting XSS vulnerabilities due to the fact that it fails to sanitize user supplied values before display. CVE: CVE-2012-2717 Versions affected Mobile Too...

SA-CONTRIB-2011-052 - Views SQL Injection

The Views module enables you to list content in your site in various ways. The module doesn't sufficiently escape database parameters for certain filters/arguments on certain types of views with specific configurations of arguments. Versions affected Views 6.x-2.x versions prior to 6.x-2.13 Drupa...

SA-CONTRIB-2011-038 - Taxonomy Views Integrator - Cross Site Scripting

This module enables you to override whole vocabularies or individual terms with the View of your choice. The module did not filter user entered term descriptions for Cross Site Scripting XSS injections. This vulnerability is mitigated by the fact that an attacker must have a role with the...

SA-CONTRIB-2011-030 - Devel - Cross Site Request Forgery

The devel module is designed as a tool to accelerate Drupal software development. One of its features enables a highly permissioned developer to quickly switch to another user's account, without providing credentials. The module is vulnerable to Cross Site Request Forgeries CSRF via the links and...

SA-CONTRIB-2011-025 - Juitter & Download Count - Cross Site Scripting (XSS)

Two modules are being unsupported due to cross site scripting issues. The Juitter module enables you to use Juitter, a jQuery plugin, to put live Twitter search results on your site. The Juitter module contains a cross site scripting XSS vulnerability that can be exploited when setting up the...

SA-CONTRIB-2011-022 - Cosign - SQL Injection

Under certain conditions the module deletes uid 1 and then does an unparameterized dbquery to insert a new uid 1. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer site configuration" and must be able to remotely manipulate the web serve...

SA-CONTRIB-2011-015 - Translation Management - Multiple Vulnerabilities

This Translation Management module helps to manage the process of translating content on your site. The module has several vulnerabilities. It doesn't sufficiently escape user text when printed to the browser nor when used in database queries resulting in Cross Site Scripting XSS and SQL Injectio...

SA-CONTRIB-2010-065 - Content Construction Kit (CCK) - Access Bypass

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module can be configured to display referenced nodes as hidden, title, teaser or full view. Node access was not checked when displaying these...

SA-CONTRIB-2010-060 - Scheduler - Cross Site Scripting

Scheduler allows nodes to be published and unpublished on specified dates. Scheduler does not sanitize titles for unpublished nodes on the scheduled nodes overview list, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative access. The...

SA-CONTRIB-2010-054 - Storm - Cross Site Scripting (XSS)

The Storm project provides a group of modules for project management and billing. The module displays data entered by users without sanitising it, allowing for a cross site scripting XSS attack that may lead to a malicious user gaining full administrative access. Versions affected Storm project f...

SA-CONTRIB-2010-059: Panels - Arbitrary PHP code execution

The Panels module allows a site administrator to create customized layouts for multiple uses. The "Mini panels" module, included with panels, was found to have an arbitrary PHP code execution vulnerability. Users with the 'create mini panels' permission could execute arbitrary PHP code on the...

SA-CONTRIB-2010-047: Services - Access Bypass

The Services module allows users to expose Drupal functionality to remote users. Services provides the ability for developers to define access callbacks in code for exposed services. When using session ID authentication without API key authentication, the module does not properly check access whe...

SA-CONTRIB-2010-046: Award - Cross Site Scripting

The Award module allows administrators to identify one or more content types as "awards" that can be granted to users. When the title of an award is displayed on a user's profile page it is not properly sanitized, resulting in a cross site scripting vulnerability. Attackers must have the permissi...

SA-CONTRIB-2010-029: Keys - Cross-site Request Forgery

The Keys module provides management of various API keys. The module is vulnerable to cross-site request forgeries CSRF via the keys delete form. This would allow a malicious user to trick an admin with the "administer keys" permission into deleting keys by directing them to the url via link or...

SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities

Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily...

SA-CONTRIB-2010-004 - Node block - Cross site scripting

This module allows you to specify content types as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. Users only need edit access to that node in order to edit it. Users with administer block access...

SA-CONTRIB-2009-107 - Ubercart - Access bypass, Cross site request forgery

Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently...

SA-CONTRIB-2009-109 - Printfriendly - Cross Site Scripting

The Printfriendly module integrates with printfriendly.com's print service. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Versions affected Printfriendly module for Drupal 6.x prior to Printfriendly 6.x-1.6...

SA-CONTRIB-2009-100 - AddToAny - Cross Site Scripting

AddToAny module provides a share button for AddToAny service for social networks. The module fails to sanitize a value in node title, leading to a Cross Site Scripting XSS vulnerability. Versions affected AddToAny module for Drupal 6.x prior to AddToAny 6.x-2.4 AddToAny module for Drupal 5.x prio...

SA-CONTRIB-2009-101 - Web Services - Access Bypass

The Web Services module provides an API for other sites to communicate with a Drupal site, enabling the publishing of content, change of user information, or simply integration of a Flash application. The module fails to implement proper access checks, leading to an Access Bypass vulnerability...

SA-CONTRIB-2009-072 - RealName - Cross Site Scripting

The RealName module allows the administrator to choose fields from the user profile that will be used to add a "real name" element method to a user object. In some specific cases, the module does not sanitize before outputting the realname, resulting in a cross-site scripting XSS vulnerability...

SA-CONTRIB-2009-066 - Organic Groups - Cross Site Scripting

The Organic Groups OG module provides a way to organize users and content into groups. When displaying group nodes, the module does not properly sanitize all user-entered text, leading to a cross-site scripting XSS vulnerability. Users with permission to create or edit groups nodes which may be a...

SA-CONTRIB-2009-061 - Markdown Preview - Cross Site Scripting

The Markdown Preview module provides a live preview pane that displays the rendered HTML output of your Markdown input. When displaying the live preview, the module does not properly escape user entered data, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a...

SA-CONTRIB-2009-062 - Devel - Cross Site Scripting

The Devel module contains many useful developer functions, such as a query log and the display of variables. When using the variable editor, the module does not properly sanitize the output of the variable name before display, leading to a cross-site scripting XSS vulnerability. Such an attack ma...

SA-CONTRIB-2009-059 - OpenID - Multiple vulnerabilities

The contributed OpenID module for Drupal 5 allows users to create an account or log into a Drupal site using one or more OpenID identities. The module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore ab...