Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2011/03/30 12:0 a.m.•10 views

SA-CONTRIB-2011-015 - Translation Management - Multiple Vulnerabilities

This Translation Management module helps to manage the process of translating content on your site. The module has several vulnerabilities. It doesn't sufficiently escape user text when printed to the browser nor when used in database queries resulting in Cross Site Scripting XSS and SQL Injectio...

7.7AI score
Exploits0References10
Drupal
Drupal
•added 2010/06/16 12:0 a.m.•10 views

SA-CONTRIB-2010-065 - Content Construction Kit (CCK) - Access Bypass

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module can be configured to display referenced nodes as hidden, title, teaser or full view. Node access was not checked when displaying these...

7AI score
Exploits0References10
Drupal
Drupal
•added 2010/05/26 12:0 a.m.•10 views

SA-CONTRIB-2010-060 - Scheduler - Cross Site Scripting

Scheduler allows nodes to be published and unpublished on specified dates. Scheduler does not sanitize titles for unpublished nodes on the scheduled nodes overview list, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative access. The...

6.2AI score
Exploits0References8
Drupal
Drupal
•added 2010/05/19 12:0 a.m.•10 views

SA-CONTRIB-2010-054 - Storm - Cross Site Scripting (XSS)

The Storm project provides a group of modules for project management and billing. The module displays data entered by users without sanitising it, allowing for a cross site scripting XSS attack that may lead to a malicious user gaining full administrative access. Versions affected Storm project f...

6AI score
Exploits0References6
Drupal
Drupal
•added 2010/05/19 12:0 a.m.•10 views

SA-CONTRIB-2010-056 - User Queue - Cross Site Request Forgery

The User Queue module allows you to create multiple queues, add users to them, and order the users within the queue. The module is vulnerable to cross-site request forgeries CSRF via the URL used to delete users from the queue. A user with "administer user queues" permission could be manipulated...

7AI score
Exploits0References6
Drupal
Drupal
•added 2010/05/19 12:0 a.m.•10 views

SA-CONTRIB-2010-059: Panels - Arbitrary PHP code execution

The Panels module allows a site administrator to create customized layouts for multiple uses. The "Mini panels" module, included with panels, was found to have an arbitrary PHP code execution vulnerability. Users with the 'create mini panels' permission could execute arbitrary PHP code on the...

8AI score
Exploits0References3
Drupal
Drupal
•added 2010/05/12 12:0 a.m.•10 views

SA-CONTRIB-2010-046: Award - Cross Site Scripting

The Award module allows administrators to identify one or more content types as "awards" that can be granted to users. When the title of an award is displayed on a user's profile page it is not properly sanitized, resulting in a cross site scripting vulnerability. Attackers must have the permissi...

6.3AI score
Exploits0References7
Drupal
Drupal
•added 2010/02/17 12:0 a.m.•10 views

SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities

Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily...

6.9AI score
Exploits0References4
Drupal
Drupal
•added 2010/01/13 12:0 a.m.•10 views

SA-CONTRIB-2010-004 - Node block - Cross site scripting

This module allows you to specify content types as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. Users only need edit access to that node in order to edit it. Users with administer block access...

6.3AI score
Exploits0References5
Drupal
Drupal
•added 2009/11/18 12:0 a.m.•10 views

SA-CONTRIB-2009-109 - Printfriendly - Cross Site Scripting

The Printfriendly module integrates with printfriendly.com's print service. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Versions affected Printfriendly module for Drupal 6.x prior to Printfriendly 6.x-1.6...

6.3AI score
Exploits0References6
Drupal
Drupal
•added 2009/10/28 12:0 a.m.•10 views

SA-CONTRIB-2009-087 - FAQ Ask - Multiple Vulnerabilities

The FAQ Ask module enables site users to ask questions for experts to answer. The module suffers multiple vulnerabilities, including Cross Site Request Forgeries CSRF and Cross Site Scripting problems Cross Site Scripting. These vulnerabilities allow an attacker to hijack the account of a logged ...

6.7AI score
Exploits0References7
Drupal
Drupal
•added 2009/10/21 12:0 a.m.•10 views

SA-CONTRIB-2009-075 - OG Vocabulary 5.x

The Organic Groups Vocabulary module enables an organic group to have a group specific vocabulary. In some specific cases, the module does not sanitize before outputting the group title, resulting in a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining ful...

6.1AI score
Exploits0References6
Drupal
Drupal
•added 2009/10/14 12:0 a.m.•10 views

SA-CONTRIB-2009-074- Webform - Multiple vulnerabilities

Cross-site scripting The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting XSS attack when...

5.4AI score
Exploits0References9
Drupal
Drupal
•added 2009/10/14 12:0 a.m.•10 views

SA-CONTRIB-2009-072 - RealName - Cross Site Scripting

The RealName module allows the administrator to choose fields from the user profile that will be used to add a "real name" element method to a user object. In some specific cases, the module does not sanitize before outputting the realname, resulting in a cross-site scripting XSS vulnerability...

6AI score
Exploits0References5
Drupal
Drupal
•added 2009/09/16 12:0 a.m.•10 views

SA-CONTRIB-2009-059 - OpenID - Multiple vulnerabilities

The contributed OpenID module for Drupal 5 allows users to create an account or log into a Drupal site using one or more OpenID identities. The module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore ab...

7.3AI score
Exploits0References7
Drupal
Drupal
•added 2009/09/16 12:0 a.m.•10 views

SA-CONTRIB-2009-058 - Comment RSS - Access bypass

The Comment RSS module provides RSS feeds for comments on individual nodes. The link to this feed contains the node's title. Adding the link to the RSS feed was not respecting access permissions, potentially exposing content not available otherwise. Versions affected Comment RSS for Drupal 5.x...

7.2AI score
Exploits0References6
Drupal
Drupal
•added 2009/08/19 12:0 a.m.•10 views

SA-CONTRIB-2009-052 - Printer, e-mail and PDF versions - Cross site scripting

The Printer, e-mail and PDF versions "Print" module provides printer-friendly versions of content. The module doesn't properly escape a number of user-supplied variables before output. A user who has the permission to add content could attempt a cross site scripting XSS attack which may in some...

6AI score
Exploits0References9
Drupal
Drupal
•added 2009/06/10 12:0 a.m.•10 views

SA-CONTRIB-2009-035 - Booktree - Cross site scripting

Booktree takes as input a series of Book nodes and create a tree-like structure using Book node relationships.The Booktree module does not properly escape node title and node body on tree root pages. A user with privileges to create book pages could attempt a cross site scripting XSS attack which...

6.1AI score
Exploits0References8
Drupal
Drupal
•added 2009/06/03 12:0 a.m.•10 views

SA-CONTRIB-2009-033 - Quiz - Cross site scripting

The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module does not properly escape user-supplied data on some pages, allowing...

5.9AI score
Exploits0References8
Drupal
Drupal
•added 2009/04/29 12:0 a.m.•10 views

SA-CONTRIB-2009-022 - Exif - Cross Site Scripting

The Exif module enables users to display EXIF tags in images on the site. EXIF tags are not properly filtered for HTML input, allowing users with permission to upload images to inject arbitrary code into the site using a specially crafted image. Such a cross site scripting XSS attack may lead to ...

6.3AI score
Exploits0References9
Drupal
Drupal
•added 2009/03/26 12:0 a.m.•10 views

SA-CONTRIB-2009-018 - Feed element mapper - Cross site scripting

Feed element mapper is an Add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. These mappings are configurable by point and click. The module does not escape content titles enabling malicious users to insert arbitrary HTML and...

6AI score
Exploits0References7
Drupal
Drupal
•added 2009/03/25 12:0 a.m.•10 views

SA-CONTRIB-2009-017 - Vote Up/Down - Cross-site request forgery

The Vote Up/Down module provides a voting widget for content that records votes using Ajax. The URL for voting is vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly vote for content. Versions affected Vote Up/Down 5.x-1.x prior to 5.x-1.1 Vote Up/Down...

7AI score
Exploits0References7
Drupal
Drupal
•added 2009/03/18 12:0 a.m.•10 views

SA-CONTRIB-2009-013 CCK - Cross site scripting

The Node reference and User reference sub-modules, which are part of the Content Construction Kit CCK project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate...

6.3AI score
Exploits0References5
Drupal
Drupal
•added 2009/02/04 12:0 a.m.•10 views

SA-CONTRIB-2009-005 - Views bulk operations - Cross site scripting

Views bulk operations augments Views by enabling bulk operations to be executed on the content displayed by a view. Views bulk operations does not properly escape user-supplied data on some pages, allowing malicious users to insert arbitrary HTML and script code into these pages. Such a cross sit...

6AI score
Exploits0References7
Drupal
Drupal
•added 2009/01/07 12:0 a.m.•10 views

SA-CONTRIB-2009-001 - Project release - Multiple vulnerabilities

Exploitable from: Remote Vulnerabilities: Arbitrary file upload, Cross-site scripting XSS The Project release module is a component within the broader Project module. This announcement covers the following two issues: 1. Project release enables file attachments to create a specific version of cod...

7AI score
Exploits0References7
Drupal
Drupal
•added 2008/05/14 12:0 a.m.•10 views

SA-2008-030 - Site Documentation - Privilege escalation

The contributed module Site Documentation intends to assist developers and administrators when they start working with a new site by showing them information from the database. All users with the "access content" permission are able to use the module to list arbitrary tables from the database. In...

7.2AI score
Exploits0References5
Drupal
Drupal
•added 2008/04/23 12:0 a.m.•10 views

SA-2008-027 - Ubercart - Cross site scripting

When certain product features were being edited, node titles were being printed to the screen as entered by the user. If a store owner had granted product creation rights to a non-secure user, this would provide an opportunity for a malicious user to perform a cross site scripting attack when...

6.6AI score
Exploits0References4
Drupal
Drupal
•added 2008/01/10 12:0 a.m.•10 views

SA-2008-003 - BUEditor - CSRF

BUEditor is a plain textarea editor aiming to facilitate code writing. It supports completely customizable interface and button functionality via role-based editors. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicous site can cause a user to unintentionally...

6.9AI score
Exploits0References5
Drupal
Drupal
•added 2007/08/20 12:0 a.m.•10 views

Project and Project issue tracking - Access bypass

The Project and Project issue tracking modules provide a series of permissions to control access to projects and issues: "access projects", "access own projects", "access project issues" and "access own project issues". While these permissions correctly prevent users from viewing the entire proje...

6.6AI score
Exploits0References2
Drupal
Drupal
•added 2026/07/01 12:0 a.m.•9 views

Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069

The Colorbox module integrates with the Colorbox JavaScript library to display content in an overlay above the page. The module doesn't sufficiently protect against injection of malicious JavaScript under certain scenarios. This vulnerability is mitigated by the fact that an attacker must have a...

6AI score0.00204EPSS
Exploits0References3
Drupal
Drupal
•added 2026/06/17 12:0 a.m.•9 views

Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049

The Flag attendance field module gives you the ability to add attendance by depending on Flag module. flagattendancefield stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when th...

5.4AI score0.00173EPSS
Exploits0References3
Drupal
Drupal
•added 2026/06/17 12:0 a.m.•9 views

Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050

The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library. The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection...

5.4AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
•added 2026/06/10 12:0 a.m.•9 views

Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.2AI score0.00153EPSS
Exploits0References2
Drupal
Drupal
•added 2026/01/14 12:0 a.m.•9 views

Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user...

8.8CVSS5.4AI score0.00221EPSS
Exploits0References1
Drupal
Drupal
•added 2025/07/02 12:0 a.m.•9 views

Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085

This module enables you to allow and/or require a second authentication method in addition to password authentication. The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users. This vulnerability is mitigated by the fact...

6.5CVSS5.7AI score0.00364EPSS
Exploits0References2
Drupal
Drupal
•added 2025/06/25 12:0 a.m.•9 views

CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081

The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor. The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading...

6.1CVSS5.6AI score0.00186EPSS
Exploits0References1
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•9 views

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't invoke two factor authentication 2FA for the password reset option. This vulnerability is mitigated by the fact that an attacker must have access to the password reset link...

7.5CVSS5.7AI score0.00356EPSS
Exploits0References3
Drupal
Drupal
•added 2025/02/26 12:0 a.m.•9 views

OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate...

9.8CVSS5.5AI score0.00401EPSS
Exploits0References2
Drupal
Drupal
•added 2024/12/11 12:0 a.m.•9 views

Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.5CVSS7.1AI score0.00372EPSS
Exploits0References2
Drupal
Drupal
•added 2024/12/11 12:0 a.m.•9 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Open Social is a Drupal distribution for online communities, which ships with a default optional module socialfileprivate to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem. For installations of Open Social prior to version 11.8....

5.3CVSS6.9AI score0.00297EPSS
Exploits0References6
Drupal
Drupal
•added 2024/12/04 12:0 a.m.•9 views

Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069

This module provides a field formatter for the field type 'file' called Table of files with download all link . The module had vulnerabilities allowing a user to download files they normally should not be able to download...

5.3CVSS7.2AI score0.00297EPSS
Exploits0References9
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•9 views

Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances. Only sites with the Overlay module enabled are affected by this vulnerability...

6.1CVSS6AI score0.00314EPSS
Exploits0References11
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•9 views

Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061

This module allows users to export nodes and then import it into another Drupal installation, or on the same site. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which could results in Remote Code Execution via PHP Object Injection...

6.6CVSS5.7AI score0.00399EPSS
Exploits0References5
Drupal
Drupal
•added 2024/10/09 12:0 a.m.•9 views

Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047

This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting XSS vulnerability. The vulnerability exists in the Facets Summary submodule. If you do not use that sub module...

6.1CVSS5.9AI score0.00228EPSS
Exploits0References8
Drupal
Drupal
•added 2024/10/02 12:0 a.m.•9 views

Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044

This module enables users to remain logged in separately from session timeouts. The module doesn't sufficiently check a user's disabled status when validating cookies. This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login...

9.8CVSS6.9AI score0.00401EPSS
Exploits0References7
Drupal
Drupal
•added 2024/09/04 12:0 a.m.•9 views

Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036

This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations modify, delete, duplicate. This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough. Information...

6.3CVSS7.1AI score0.00235EPSS
Exploits0References10
Drupal
Drupal
•added 2024/09/04 12:0 a.m.•9 views

Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content. The module doesn't sufficiently check if a user has access to some URLs before rendering them as links. This vulnerability is mitigated by the fact that an attacker must...

4.3CVSS6.8AI score0.00301EPSS
Exploits0References7
Drupal
Drupal
•added 2024/09/04 12:0 a.m.•9 views

Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037

Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed. This module allows a website to display embedded content such as photos or videos when a user posts a link to that resource, without having to parse the resource directly. Added...

5.4CVSS6.9AI score0.00213EPSS
Exploits0References7
Drupal
Drupal
•added 2022/08/10 12:0 a.m.•9 views

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library which was previously in Drupal 8 core, but has since been removed from core and moved to this module. As part of the jQuery UI 1.13.2 update, the jQuery UI project...

6.1CVSS5.5AI score0.01933EPSS
Exploits1References7
Drupal
Drupal
•added 2019/12/11 12:0 a.m.•9 views

Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093

This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. if certain administrative routes should be access controlled, defaulting to...

5.7AI score
Exploits0References9
Total number of security vulnerabilities1940