Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value. The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used. This vulnerability is mitigated by th...

Cloud - Critical - CSRF - SA-CONTRIB-2017-086

This module enables sites to manage public clouds like Amazon EC2 and also private clouds like OpenStack. The module doesn't sufficiently protect the deletion of audit reports, thereby exposing a cross-site request vulnerability which can be exploited by unprivileged users to trick an administrat...

LDAP - Critical - Data Injection - SA-CONTRIB-2017-052

The LDAP module does not sanitize user input correctly in several cases, allowing a user to modify parameters without restriction and inject data. If the site administrator chooses to hide the email or password from the user form instead of showing or disabling it under "Authorization", these...

@Base - Critical - Unsupported - SA-CONTRIB-2017-040

Provide some more API for developer to work with Drupal 7. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025

Updates 2017-04-23 — This issue has been resolved with the release of rememberme 7.x-1.1 Remember me is a module that allows users to check "Remember me" when logging in. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed ...

RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040

This module enables you to expose Drupal entities as RESTful web services. RESTWS alters the default page callbacks for entities to provide additional functionality. A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution. There...

SA-CONTRIB-2014-039 - Revisioning - Access Bypass

This module enables you to manage publication workflows whereby new, not publicly visible revisions of existing published content may be created by an author for review, while the current revision remains live to the public. The new revision does not go live until it is approved by a moderator wi...

SA-CONTRIB-2013-058 - MRBS - Abandoned - Mutliple vulnerabilities

MRBS is a free, GPL, web application using PHP and MySQL/pgsql for booking meeting rooms or other resources. The module doesn't sufficiently filter user supplied data when creating queries which leads to a SQL injection vulnerability. CVE identifiers issued ACVE identifier will be requested, and...

SA-CONTRIB-2012-137 - Heartbeat - Cross Site Request Forgery (CSRF) in heartbeat_comments

This module enables you to display activity for events on a site. The sub-modules heartbeatcomments and shouts don't sufficiently check the heartbeat comment post values making it possible for an attacker to cause a user to unknowingly make comments. CVE: Requested Versions affected...

SA-CONTRIB-2012-117 - Location - Access Bypass

The Location module allows real-world geographic locations to be associated with Drupal nodes, including people, places, and other content. The Location Search sub-module adds a search page for searching for locations. The Location Search module fails to enforce content and user access permission...

SA-CONTRIB-2011-047 - OG Features access bypass

OG Features provides a mechanism for groups to enable or disable certain bundles of functionality, of features, within the groups they administer. The module is able to turn components on and off within given groups by overriding the access callbacks of every menu item, and checking conditions...

SA-CONTRIB-2011-039 - Bot Alarm - Multiple vulnerabilities

This module enables you to set alarms for your IRC bot. The module does not properly escape the message and channels of alarms in pages listing the alarms, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

SA-CONTRIB-2011-036 - Addresses - Cross Site Scripting

This module enables you to link your users and contents to physical addresses. The module doesn't sufficiently filter output when displaying an address. This vulnerability is mitigated by the fact that the module doesn't use the single line display by default, an administrator has to enable that...

SA-CONTRIB-2011-019 - Menu Access - Cross Site Scripting

The Menu Access module provides global, menu specific, and per menu item security permissions by role and user account. The Menu Access module contains a cross site scripting XSS vulnerability that can be exploited when a specially formatted menu description is viewed. This could result in...

SA-CONTRIB-2011-001 - Webform - SQL Injection

The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems. The module does not properly use the database API, leading to an SQL Injection...

SA-CONTRIB-2010-111 - Views - Cross Site Scripting

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Under certain circumstances, Views could display parts of the page path without escaping, resulting in a relected Cross Site Scripting XSS vulnerability. An attacker cou...

SA-CONTRIB-2010-105 - Outline Designer - Cross Site Request Forgery

Outline Designer allows for easier creation and management of items in a Book. The Outline Designer modules does not properly protect some of its paths against Cross Site Request Forgeries CSRF, allowing an attacker to get a user with the permission to administer site configuration to change any...

SA-CONTRIB-2010-091 - Mollom - Information Disclosure

The Mollom module provides a combination of CAPTCHA challenges with text analysis to intelligently block spam. In some configurations, sensitive user data e.g., a user's plain-text password might be logged through calls to Drupal's watchdog API. This vulnerability is mitigated by the fact that th...

SA-CONTRIB-2010-033 - Taxonomy Filter - Cross Site Scripting (XSS)

The Taxonomy Filter module enables users to filter node listings by multiple taxonomy terms across multiple vocabularies. Vocabulary names, terms, and filter menus are not sanitized, creating a Cross Site Scripting XSS vulnerability. Exploiting this vulnerability would allow a malicious user to...

SA-CONTRIB-2010-021 - AddThis Button - Cross Site Scripting

The AddThis module provides an easy way to share content to over 230 supported services such as Facebook, Email and Twitter. The module did not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer addthis'...

SA-CONTRIB-2010-009 - Block Class - Cross Site Scripting

Block Class module allows users to add classes to any block through the block's configuration interface. This release includes a fix for a cross-site scripting XSS vulnerability through which JavaScript could be inserted in the class field of a block's configuration interface. Versions affected...

SA-CONTRIB-2009-102 - PHPList Integration Module - Cross Site Request Forgery

The PHPList module provides a basic level of integration between Drupal and the PHPList mailing list application. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicious site can cause a user to unintentionally submit a form to a site where they are authenticate...

SA-CONTRIB-2009-092 - S5 Presentation Player Cross Site Scripting

The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site. The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user...

SA-CONTRIB-2009-075 - OG Vocabulary 5.x

The Organic Groups Vocabulary module enables an organic group to have a group specific vocabulary. In some specific cases, the module does not sanitize before outputting the group title, resulting in a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining ful...

SA-CONTRIB-2009-058 - Comment RSS - Access bypass

The Comment RSS module provides RSS feeds for comments on individual nodes. The link to this feed contains the node's title. Adding the link to the RSS feed was not respecting access permissions, potentially exposing content not available otherwise. Versions affected Comment RSS for Drupal 5.x...

SA-CONTRIB-2009-030 - Email Verification - Information disclosure / Cross Site Scripting

The Email Verification module tries to verify user email addresses by talking to the appropriate SMTP host. It also allows the administrator to access a list of not confirmed email addresses. In the Drupal 5 version, this list is only protected by the "access content" permission, hence allowing a...

SA-CONTRIB-2009-017 - Vote Up/Down - Cross-site request forgery

The Vote Up/Down module provides a voting widget for content that records votes using Ajax. The URL for voting is vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly vote for content. Versions affected Vote Up/Down 5.x-1.x prior to 5.x-1.1 Vote Up/Down...

SA-CONTRIB-2009-008 - Taxonomy Theme - Cross site scripting

The Taxonomy Theme module allows a website adminstrator to change the theme of a given content item based on taxonomy, vocabulary or content type. It does not properly sanitize user-supplied data on a number of places. This allows users with the "administer taxonomy" permission, or, when tagging ...

SA-CONTRIB-2009-005 - Views bulk operations - Cross site scripting

Views bulk operations augments Views by enabling bulk operations to be executed on the content displayed by a view. Views bulk operations does not properly escape user-supplied data on some pages, allowing malicious users to insert arbitrary HTML and script code into these pages. Such a cross sit...

SA-CONTRIB-2009-001 - Project release - Multiple vulnerabilities

Exploitable from: Remote Vulnerabilities: Arbitrary file upload, Cross-site scripting XSS The Project release module is a component within the broader Project module. This announcement covers the following two issues: 1. Project release enables file attachments to create a specific version of cod...

SA-2008-066 - Shindig-Integrator - Multiple vulnerabilities

Shindig-Integrator integrates the open social Shindig container with Drupal. The module contains numerous flaws. Among them are the following issues. Malicious users are able to insert arbitrary HTML and script code into certain module generated pages. Such a Cross site scripting vulnerability ca...

SA-2008-056 - Simplenews - Cross site scripting

Simplenews publishes and sends newsletters to lists of subscribers. Newsletter categories are not always properly escaped. This allows users with the "administer taxonomy" permission to add arbitrary HTML and script code to the site. Wikipedia has more information about such cross site scripting...

SA-2008-030 - Site Documentation - Privilege escalation

The contributed module Site Documentation intends to assist developers and administrators when they start working with a new site by showing them information from the database. All users with the "access content" permission are able to use the module to list arbitrary tables from the database. In...

SA-2008-027 - Ubercart - Cross site scripting

When certain product features were being edited, node titles were being printed to the screen as entered by the user. If a store owner had granted product creation rights to a non-secure user, this would provide an opportunity for a malicious user to perform a cross site scripting attack when...

SA-2008-023 - Ubercart - Cross site scripting

During checkout in Ubercart enabled stores, customers have text fields in which to enter their address and order information. Some stores will have modules enabled that restrict what sort of values are accepted in these fields, but this is not the case for everyone. This provides an opportunity f...

SA-2008-013 - Project issue tracking - Arbitrary file upload

The Project issue tracking module has a vulnerability where new issues are not properly validated. If the core Upload module is enabled on issue nodes the recommended configuration for the 5.x-2. series, this vulnerability can be used to attach malicious files to new issues, regardless of the...

SA-2008-014 - Userpoints - Cross site request forgery

Userpoints is a system for keeping track of points earned on a site. It can be used to reward users for contributions to a community and also for ecommerce transactions. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicious site can cause a user to...

SA-2008-016 - OpenID - Incorrect claimed_id returned for OpenID 2.0

The OpenID module has a vulnerability which allows OpenID version 2.0 positive assertions that are not properly verified to return an invalid or impersonated claimedid. To exploit this vulnerability an attacker could set up an OpenID provider, example1.com, that claimed to be the authority for...

SA-2007-028 - Weblinks - Cross site scripting

User input is not properly sanitized on a number of pages. This allows malicious users to inject arbitrary HTML and script code into these pages, which may lead to administrator access if certain conditions are met. Learn more about cross site scripting on Wikipedia. Versions affected Weblinks fo...

Project and Project issue tracking - Access bypass

The Project and Project issue tracking modules provide a series of permissions to control access to projects and issues: "access projects", "access own projects", "access project issues" and "access own project issues". While these permissions correctly prevent users from viewing the entire proje...

Project issue tracking - Access bypass

If a remote user knows the node identifier of an issue that has been marked private using a node access module simpleaccess, nodeprivacybyrole, etc, they can use a specially crafted URL to view the contents of the node, regardless of their own privileges. All that is required is the "access proje...

Examples for Developers - Moderately critical - Access bypass - SA-CONTRIB-2026-044

The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality. The "Read from a file" feature implemented by the fileexample submodule can be used to expose any file that PHP can access. Therefore, the fileexample...

LocalGov Workflows - Moderately critical - Information disclosure - SA-CONTRIB-2026-039

This module configures default editorial workflows for LocalGov Drupal content types. It provides a Drupal content moderation workflow, a content approvals dashboard, content scheduling and content preview. The module doesn't sufficiently restrict access to a view of Service Contacts at which...

Material Icons - Moderately critical - Access bypass - SA-CONTRIB-2026-011

This module enables you to add icons to CKEditor. The module doesn't sufficiently add custom permissions to the dialog and autocomplete routes, allowing full access to the routes in most scenarios...

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115

The Email TFA module provides additional email-based two-factor authentication for Drupal logins. In certain scenarios, the module does not fully protect all login mechanisms as expected. This issue is mitigated by the fact that an attacker must already have valid user credentials username and...

Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107

This module integrates Plausible Analytics on a site. The module did not properly filter output in certain cases. This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment...

Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085

This module enables you to allow and/or require a second authentication method in addition to password authentication. The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users. This vulnerability is mitigated by the fact...

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't invoke two factor authentication 2FA for the password reset option. This vulnerability is mitigated by the fact that an attacker must have access to the password reset link...

baguetteBox.js - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-034

The baguetteBox.js module provides integration with baguetteBox.js library. The module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability...

OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate...