1940 matches found
SA-CONTRIB-2011-015 - Translation Management - Multiple Vulnerabilities
This Translation Management module helps to manage the process of translating content on your site. The module has several vulnerabilities. It doesn't sufficiently escape user text when printed to the browser nor when used in database queries resulting in Cross Site Scripting XSS and SQL Injectio...
SA-CONTRIB-2010-065 - Content Construction Kit (CCK) - Access Bypass
The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module can be configured to display referenced nodes as hidden, title, teaser or full view. Node access was not checked when displaying these...
SA-CONTRIB-2010-060 - Scheduler - Cross Site Scripting
Scheduler allows nodes to be published and unpublished on specified dates. Scheduler does not sanitize titles for unpublished nodes on the scheduled nodes overview list, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative access. The...
SA-CONTRIB-2010-054 - Storm - Cross Site Scripting (XSS)
The Storm project provides a group of modules for project management and billing. The module displays data entered by users without sanitising it, allowing for a cross site scripting XSS attack that may lead to a malicious user gaining full administrative access. Versions affected Storm project f...
SA-CONTRIB-2010-056 - User Queue - Cross Site Request Forgery
The User Queue module allows you to create multiple queues, add users to them, and order the users within the queue. The module is vulnerable to cross-site request forgeries CSRF via the URL used to delete users from the queue. A user with "administer user queues" permission could be manipulated...
SA-CONTRIB-2010-059: Panels - Arbitrary PHP code execution
The Panels module allows a site administrator to create customized layouts for multiple uses. The "Mini panels" module, included with panels, was found to have an arbitrary PHP code execution vulnerability. Users with the 'create mini panels' permission could execute arbitrary PHP code on the...
SA-CONTRIB-2010-046: Award - Cross Site Scripting
The Award module allows administrators to identify one or more content types as "awards" that can be granted to users. When the title of an award is displayed on a user's profile page it is not properly sanitized, resulting in a cross site scripting vulnerability. Attackers must have the permissi...
SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities
Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily...
SA-CONTRIB-2010-004 - Node block - Cross site scripting
This module allows you to specify content types as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. Users only need edit access to that node in order to edit it. Users with administer block access...
SA-CONTRIB-2009-109 - Printfriendly - Cross Site Scripting
The Printfriendly module integrates with printfriendly.com's print service. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Versions affected Printfriendly module for Drupal 6.x prior to Printfriendly 6.x-1.6...
SA-CONTRIB-2009-087 - FAQ Ask - Multiple Vulnerabilities
The FAQ Ask module enables site users to ask questions for experts to answer. The module suffers multiple vulnerabilities, including Cross Site Request Forgeries CSRF and Cross Site Scripting problems Cross Site Scripting. These vulnerabilities allow an attacker to hijack the account of a logged ...
SA-CONTRIB-2009-075 - OG Vocabulary 5.x
The Organic Groups Vocabulary module enables an organic group to have a group specific vocabulary. In some specific cases, the module does not sanitize before outputting the group title, resulting in a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining ful...
SA-CONTRIB-2009-074- Webform - Multiple vulnerabilities
Cross-site scripting The Webform module enables the creation of custom forms for collecting data from users. The Webform module does not properly escape field labels in certain situations. A malicious user with permission to create webforms could attempt a cross-site scripting XSS attack when...
SA-CONTRIB-2009-072 - RealName - Cross Site Scripting
The RealName module allows the administrator to choose fields from the user profile that will be used to add a "real name" element method to a user object. In some specific cases, the module does not sanitize before outputting the realname, resulting in a cross-site scripting XSS vulnerability...
SA-CONTRIB-2009-059 - OpenID - Multiple vulnerabilities
The contributed OpenID module for Drupal 5 allows users to create an account or log into a Drupal site using one or more OpenID identities. The module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore ab...
SA-CONTRIB-2009-058 - Comment RSS - Access bypass
The Comment RSS module provides RSS feeds for comments on individual nodes. The link to this feed contains the node's title. Adding the link to the RSS feed was not respecting access permissions, potentially exposing content not available otherwise. Versions affected Comment RSS for Drupal 5.x...
SA-CONTRIB-2009-052 - Printer, e-mail and PDF versions - Cross site scripting
The Printer, e-mail and PDF versions "Print" module provides printer-friendly versions of content. The module doesn't properly escape a number of user-supplied variables before output. A user who has the permission to add content could attempt a cross site scripting XSS attack which may in some...
SA-CONTRIB-2009-035 - Booktree - Cross site scripting
Booktree takes as input a series of Book nodes and create a tree-like structure using Book node relationships.The Booktree module does not properly escape node title and node body on tree root pages. A user with privileges to create book pages could attempt a cross site scripting XSS attack which...
SA-CONTRIB-2009-033 - Quiz - Cross site scripting
The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module does not properly escape user-supplied data on some pages, allowing...
SA-CONTRIB-2009-022 - Exif - Cross Site Scripting
The Exif module enables users to display EXIF tags in images on the site. EXIF tags are not properly filtered for HTML input, allowing users with permission to upload images to inject arbitrary code into the site using a specially crafted image. Such a cross site scripting XSS attack may lead to ...
SA-CONTRIB-2009-018 - Feed element mapper - Cross site scripting
Feed element mapper is an Add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. These mappings are configurable by point and click. The module does not escape content titles enabling malicious users to insert arbitrary HTML and...
SA-CONTRIB-2009-017 - Vote Up/Down - Cross-site request forgery
The Vote Up/Down module provides a voting widget for content that records votes using Ajax. The URL for voting is vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly vote for content. Versions affected Vote Up/Down 5.x-1.x prior to 5.x-1.1 Vote Up/Down...
SA-CONTRIB-2009-013 CCK - Cross site scripting
The Node reference and User reference sub-modules, which are part of the Content Construction Kit CCK project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate...
SA-CONTRIB-2009-005 - Views bulk operations - Cross site scripting
Views bulk operations augments Views by enabling bulk operations to be executed on the content displayed by a view. Views bulk operations does not properly escape user-supplied data on some pages, allowing malicious users to insert arbitrary HTML and script code into these pages. Such a cross sit...
SA-CONTRIB-2009-001 - Project release - Multiple vulnerabilities
Exploitable from: Remote Vulnerabilities: Arbitrary file upload, Cross-site scripting XSS The Project release module is a component within the broader Project module. This announcement covers the following two issues: 1. Project release enables file attachments to create a specific version of cod...
SA-2008-030 - Site Documentation - Privilege escalation
The contributed module Site Documentation intends to assist developers and administrators when they start working with a new site by showing them information from the database. All users with the "access content" permission are able to use the module to list arbitrary tables from the database. In...
SA-2008-027 - Ubercart - Cross site scripting
When certain product features were being edited, node titles were being printed to the screen as entered by the user. If a store owner had granted product creation rights to a non-secure user, this would provide an opportunity for a malicious user to perform a cross site scripting attack when...
SA-2008-003 - BUEditor - CSRF
BUEditor is a plain textarea editor aiming to facilitate code writing. It supports completely customizable interface and button functionality via role-based editors. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicous site can cause a user to unintentionally...
Project and Project issue tracking - Access bypass
The Project and Project issue tracking modules provide a series of permissions to control access to projects and issues: "access projects", "access own projects", "access project issues" and "access own project issues". While these permissions correctly prevent users from viewing the entire proje...
Colorbox - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-069
The Colorbox module integrates with the Colorbox JavaScript library to display content in an overlay above the page. The module doesn't sufficiently protect against injection of malicious JavaScript under certain scenarios. This vulnerability is mitigated by the fact that an attacker must have a...
Flag attendance field - Critical - PHP object injection - SA-CONTRIB-2026-049
The Flag attendance field module gives you the ability to add attendance by depending on Flag module. flagattendancefield stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when th...
Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050
The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library. The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection...
Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user...
Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085
This module enables you to allow and/or require a second authentication method in addition to password authentication. The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users. This vulnerability is mitigated by the fact...
CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081
The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor. The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading...
Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053
The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't invoke two factor authentication 2FA for the password reset option. This vulnerability is mitigated by the fact that an attacker must have access to the password reset link...
OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020
Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate...
Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076
Open Social is a Drupal distribution for online communities, which ships with a default optional module socialfileprivate to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem. For installations of Open Social prior to version 11.8....
Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069
This module provides a field formatter for the field type 'file' called Table of files with download all link . The module had vulnerabilities allowing a user to download files they normally should not be able to download...
Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005
Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances. Only sites with the Overlay module enabled are affected by this vulnerability...
Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061
This module allows users to export nodes and then import it into another Drupal installation, or on the same site. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which could results in Remote Code Execution via PHP Object Injection...
Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047
This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting XSS vulnerability. The vulnerability exists in the Facets Summary submodule. If you do not use that sub module...
Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044
This module enables users to remain logged in separately from session timeouts. The module doesn't sufficiently check a user's disabled status when validating cookies. This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login...
Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036
This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations modify, delete, duplicate. This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough. Information...
Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034
This module enables you to configure a wiki-like input filter that allows users to create links to site and external content. The module doesn't sufficiently check if a user has access to some URLs before rendering them as links. This vulnerability is mitigated by the fact that an attacker must...
Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037
Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed. This module allows a website to display embedded content such as photos or videos when a user posts a link to that resource, without having to parse the resource directly. Added...
jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052
jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library which was previously in Drupal 8 core, but has since been removed from core and moved to this module. As part of the jQuery UI 1.13.2 update, the jQuery UI project...
Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093
This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. if certain administrative routes should be access controlled, defaulting to...