SA-CONTRIB-2009-061 - Markdown Preview - Cross Site Scripting

The Markdown Preview module provides a live preview pane that displays the rendered HTML output of your Markdown input. When displaying the live preview, the module does not properly escape user entered data, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a...

SA-CONTRIB-2009-062 - Devel - Cross Site Scripting

The Devel module contains many useful developer functions, such as a query log and the display of variables. When using the variable editor, the module does not properly sanitize the output of the variable name before display, leading to a cross-site scripting XSS vulnerability. Such an attack ma...

SA-CONTRIB-2009-059 - OpenID - Multiple vulnerabilities

The contributed OpenID module for Drupal 5 allows users to create an account or log into a Drupal site using one or more OpenID identities. The module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore ab...

SA-CONTRIB-2009-052 - Printer, e-mail and PDF versions - Cross site scripting

The Printer, e-mail and PDF versions "Print" module provides printer-friendly versions of content. The module doesn't properly escape a number of user-supplied variables before output. A user who has the permission to add content could attempt a cross site scripting XSS attack which may in some...

SA-CONTRIB-2009-035 - Booktree - Cross site scripting

Booktree takes as input a series of Book nodes and create a tree-like structure using Book node relationships.The Booktree module does not properly escape node title and node body on tree root pages. A user with privileges to create book pages could attempt a cross site scripting XSS attack which...

SA-CONTRIB-2009-033 - Quiz - Cross site scripting

The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module does not properly escape user-supplied data on some pages, allowing...

SA-CONTRIB-2009-022 - Exif - Cross Site Scripting

The Exif module enables users to display EXIF tags in images on the site. EXIF tags are not properly filtered for HTML input, allowing users with permission to upload images to inject arbitrary code into the site using a specially crafted image. Such a cross site scripting XSS attack may lead to ...

SA-CONTRIB-2009-021 CCK comment reference - Cross site scripting

CCK comment reference project, lets administrators define node fields that are references to comments. When displaying a node edit form, the titles of candidate referenced comments are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site...

SA-CONTRIB-2009-018 - Feed element mapper - Cross site scripting

Feed element mapper is an Add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. These mappings are configurable by point and click. The module does not escape content titles enabling malicious users to insert arbitrary HTML and...

SA-CONTRIB-2009-013 CCK - Cross site scripting

The Node reference and User reference sub-modules, which are part of the Content Construction Kit CCK project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate...

SA-2008-069 - CCK for 5.x and 6.x - XSS vulnerabilities

The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using a web browser. Some field labels and content-type names are displayed without appropriate filtering in the administrative interface. Malicious users with the "administer content" permissio...

SA-2008-049 - Talk - Multiple vulnerabilities

The Talk module for Drupal 5.x and 6.x creates a "Talk" tab for nodes in which the comments belonging to the node are displayed. Two vulnerabilities and weaknesses were discovered in the contributed Talk module. Cross site scripting The node title is treated as if it was safe text, and is not...

SA-2008-042 - Tinytax - Cross site scripting

The Tinytax taxonomy block displays a vocabulary as a tree within a block. The module displays certain values without appropriate filtering. Malicious users with the permission to create taxonomy terms are able to exploit this issue and insert arbitrary HTML and script code into pages. Such a cro...

SA-2008-034 - Node Hierarchy - Access bypass

The contributed module Node Hierarchy allows nodes to be children of other nodes creating a tree-like hierarchy of content. Due to incorrectly implemented access checks, any user with the "access content" permission is able to rearrange the hierarchy. No private data is exposed, and no content ca...

SA-2008-027 - Ubercart - Cross site scripting

When certain product features were being edited, node titles were being printed to the screen as entered by the user. If a store owner had granted product creation rights to a non-secure user, this would provide an opportunity for a malicious user to perform a cross site scripting attack when...

SA-2008-025 - Simple access - Access bypass

The Simple Access module is a node access module that allows administrators to make some nodes private and/or editable by certain user roles. The module contains a flaw that results in the privacy information for a node being lost under certain conditions. These conditions are usually triggered v...

SA-2008-016 - OpenID - Incorrect claimed_id returned for OpenID 2.0

The OpenID module has a vulnerability which allows OpenID version 2.0 positive assertions that are not properly verified to return an invalid or impersonated claimedid. To exploit this vulnerability an attacker could set up an OpenID provider, example1.com, that claimed to be the authority for...

SA-2008-003 - BUEditor - CSRF

BUEditor is a plain textarea editor aiming to facilitate code writing. It supports completely customizable interface and button functionality via role-based editors. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicous site can cause a user to unintentionally...

SA-2007-033 - Feature - CSRF

Feature is a contributed module that lets you organize and maintain a feature list by category. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The feature deletio...

SA-2007-021: Project issue tracking - XSS vulnerabilities in subscription forms.

The Project issue tracking module provides a subscription functionality enabling users to sign up for e-mail notification of issue updates. The subscriptions can be edited on both an individual or overview form. Users who have permissions to create or edit projects may be able to inject arbitrary...

TacJS - Moderately critical - Improper Access Control - SA-CONTRIB-2026-040

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to an attacker being able to delete arbitrary cookies. This vulnerability is mitigated by the fact that an attacker needs ...

Orejime - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-032

The IframeConsent element writes HTML attributes without escaping their value. This module has a XSS vulnerability. If an attacker is able to write an tag, they may be able to insert arbitrary JavaScript. This vulnerability is mitigated by the fact that a text format that allows iframe-consent HT...

Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user...

Mini site - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-117

This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website. These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the modu...

Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005

Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden. This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests...

Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files schemes that may also be handled by the system module. In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This...

Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109

This module enables you to add Umami Analytics web statistics tracking system to your website. The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should...

Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site. The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability. This...

Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

This module enables you to protect individual pages with a password. The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks. This vulnerability is mitigated by the fact that an attacker must know the protected page's URL. CVSS risk score experimental...

Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099

This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently check access to entities when they are displayed as facets. This vulnerability is mitigated by the fact that only sites that show facets with entity labels like taxonomy terms are...

Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078

GLightbox module is a pure Javascript lightbox for CKEditor. The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056

The module enables you to add second-factor authentication in addition to the default Drupal login. The module does not sufficiently ensure that known login routes are protected. This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password...

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently protect certain sensitive routes, allowing an attacker to view or modify various TFA-related settings...

Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently protect certain routes from Cross Site Request Forgery CSRF attacks...

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page. The Colorbox module doesn't sufficiently sanitize data attributes before opening modals. This vulnerability is mitigated by the fact that an attacker must have a role with...

WEB-T - Moderately critical - Access bypass, Denial of service - SA-CONTRIB-2025-030

This module enables you to translate nodes, configuration, UI strings automatically. The module doesn't sufficiently validate the incoming API response when using eTranslation integration, which has an asynchronous workflow. Specially crafted requests could overwrite entities and translations of...

Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058

This module enables you to add any HTML content you want in a tooltip displayed on mouse hover. The module does not sufficiently escape the markup inserted in the tooltip block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...

Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057

The module provides a possibility to restrict access to specific paths using basic HTTP authentication, in addition to standard Drupal access checks. In some cases, the module removes existing access checks from some paths, resulting in an access bypass vulnerability...

Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which can result in arbitrary code execution...

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently migrate sessions before prompting for a second factor token. This vulnerability is mitigated by the fact that an attacker must fixat...

Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044

This module enables users to remain logged in separately from session timeouts. The module doesn't sufficiently check a user's disabled status when validating cookies. This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login...

Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036

This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations modify, delete, duplicate. This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough. Information...

Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037

Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed. This module allows a website to display embedded content such as photos or videos when a user posts a link to that resource, without having to parse the resource directly. Added...

Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038

Open Social is a Drupal distribution for online communities. The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not...

View Password - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-026

The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes. The module doesn't validate the content of classes. A malicious user with access ...

Gutenberg - Critical - Access bypass - SA-CONTRIB-2021-007

This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not correctly validate access rules in certain situations allowing anonymous users to delete blocks...

Webform Report - Critical - Unsupported - SA-CONTRIB-2019-086

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...