Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2024/09/04 12:0 a.m.•9 views

Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037

Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed. This module allows a website to display embedded content such as photos or videos when a user posts a link to that resource, without having to parse the resource directly. Added...

5.4CVSS6.9AI score0.00213EPSS
Exploits0References7
Drupal
Drupal
•added 2023/01/11 12:0 a.m.•9 views

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

This module enables users to create 'private' vocabularies. The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View...

5.6AI score
Exploits0References7
Drupal
Drupal
•added 2022/08/10 12:0 a.m.•9 views

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library which was previously in Drupal 8 core, but has since been removed from core and moved to this module. As part of the jQuery UI 1.13.2 update, the jQuery UI project...

6.1CVSS5.5AI score0.01933EPSS
Exploits1References7
Drupal
Drupal
•added 2019/12/11 12:0 a.m.•9 views

Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093

This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. if certain administrative routes should be access controlled, defaulting to...

5.7AI score
Exploits0References9
Drupal
Drupal
•added 2019/11/13 12:0 a.m.•9 views

Webform Report - Critical - Unsupported - SA-CONTRIB-2019-086

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
•added 2019/08/21 12:0 a.m.•9 views

Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

This module that allows you to store external images on your server and apply your own Image Styles. The module exposes cookies to external sites when making external image requests. This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from...

5.5AI score
Exploits0References7Affected Software1
Drupal
Drupal
•added 2019/07/10 12:0 a.m.•9 views

Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055

This module enables you to add and manage additional custom permissions through the administration UI. The module doesn't sufficiently check for the proper access permissions to this page. This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2019/03/13 12:0 a.m.•9 views

Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038

Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form. Version 7.x of Simple hierarchical select doesn't sufficiently...

7AI score
Exploits0References4
Drupal
Drupal
•added 2018/08/29 12:0 a.m.•9 views

Commerce Core - Moderately critical - Access bypass - SA-CONTRIB-2018-057

This module enables you to build eCommerce websites and applications with Drupal. The module doesn't sufficiently check access for some of its entity types...

6.9AI score
Exploits0References6
Drupal
Drupal
•added 2018/07/25 12:0 a.m.•9 views

Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value. The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used. This vulnerability is mitigated by th...

6.5AI score
Exploits0References7
Drupal
Drupal
•added 2017/04/12 12:0 a.m.•9 views

@Base - Critical - Unsupported - SA-CONTRIB-2017-040

Provide some more API for developer to work with Drupal 7. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

7.2AI score
Exploits0References8
Drupal
Drupal
•added 2017/03/01 12:0 a.m.•9 views

Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025

Updates 2017-04-23 — This issue has been resolved with the release of rememberme 7.x-1.1 Remember me is a module that allows users to check "Remember me" when logging in. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed ...

7.1AI score
Exploits0References10
Drupal
Drupal
•added 2016/07/13 12:0 a.m.•9 views

RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040

This module enables you to expose Drupal entities as RESTful web services. RESTWS alters the default page callbacks for entities to provide additional functionality. A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution. There...

7.3AI score
Exploits0References12
Drupal
Drupal
•added 2014/04/09 12:0 a.m.•9 views

SA-CONTRIB-2014-039 - Revisioning - Access Bypass

This module enables you to manage publication workflows whereby new, not publicly visible revisions of existing published content may be created by an author for review, while the current revision remains live to the public. The new revision does not go live until it is approved by a moderator wi...

6.9AI score
Exploits0References11
Drupal
Drupal
•added 2012/09/05 12:0 a.m.•9 views

SA-CONTRIB-2012-137 - Heartbeat - Cross Site Request Forgery (CSRF) in heartbeat_comments

This module enables you to display activity for events on a site. The sub-modules heartbeatcomments and shouts don't sufficiently check the heartbeat comment post values making it possible for an attacker to cause a user to unknowingly make comments. CVE: Requested Versions affected...

7AI score
Exploits0References11
Drupal
Drupal
•added 2012/08/01 12:0 a.m.•9 views

SA-CONTRIB-2012-120 - Monthly Archive by Node Type - Access Bypass (unsupported)

This module generates a monthly archive and block for specified node types, as well as an archive and block for whichever collection of node types you specify. The module doesn't sufficiently ensure node access for sites that use a node access system. This vulnerability is mitigated by the fact...

7AI score
Exploits0References8
Drupal
Drupal
•added 2012/07/18 12:0 a.m.•9 views

SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS)

This module enables you to integrate Campaign Monitor into Drupal so you can give users the ability to subscribe and unsubscribe for your Campaign Monitor lists. The module doesn't sufficiently validate strings entered in the administration interface. This vulnerability is mitigated by the fact...

6.9AI score
Exploits0References10
Drupal
Drupal
•added 2011/10/05 12:0 a.m.•9 views

SA-CONTRIB-2011-047 - OG Features access bypass

OG Features provides a mechanism for groups to enable or disable certain bundles of functionality, of features, within the groups they administer. The module is able to turn components on and off within given groups by overriding the access callbacks of every menu item, and checking conditions...

6.8AI score
Exploits0References11
Drupal
Drupal
•added 2011/09/21 12:0 a.m.•9 views

SA-CONTRIB-2011-042 Views Bulk Operations - Cross Site Scripting

The Views Bulk Operations VBO module allows actions and rules to be run on the selected views rows nodes, terms, user, etc. It also bundles several convenient actions. One of those actions allows the bulk modification of taxonomy terms on a node. When using the "Modify node taxonomy terms" action...

6.3AI score
Exploits0References9
Drupal
Drupal
•added 2011/08/17 12:0 a.m.•9 views

SA-CONTRIB-2011-036 - Addresses - Cross Site Scripting

This module enables you to link your users and contents to physical addresses. The module doesn't sufficiently filter output when displaying an address. This vulnerability is mitigated by the fact that the module doesn't use the single line display by default, an administrator has to enable that...

6.8AI score
Exploits0References8
Drupal
Drupal
•added 2011/07/20 12:0 a.m.•9 views

SA-CONTRIB-2011-031 - SunMailer - Access bypass

SunMailer Newsletter creates an email newsletter that users can subscribe to. The module includes a page where authenticated users can view and/or edit their newsletter subscription. Access to this page was accidentally granted to anonymous users, creating an access bypass that disclosed all user...

6.9AI score
Exploits0References8
Drupal
Drupal
•added 2011/07/06 12:0 a.m.•9 views

SA-CONTRIB-2011-028 - Simple Clean - Cross Site Scripting

Simple Clean is a simple and stripped clean theme for Drupal. The theme contains a cross site scripting XSS vulnerability that can be exploited when posting comments. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post comments". Versions affect...

5.9AI score
Exploits0References9
Drupal
Drupal
•added 2011/01/10 12:0 a.m.•9 views

SA-CONTRIB-2011-001 - Webform - SQL Injection

The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems. The module does not properly use the database API, leading to an SQL Injection...

8.3AI score
Exploits0References8
Drupal
Drupal
•added 2010/09/15 12:0 a.m.•9 views

SA-CONTRIB-2010-091 - Mollom - Information Disclosure

The Mollom module provides a combination of CAPTCHA challenges with text analysis to intelligently block spam. In some configurations, sensitive user data e.g., a user's plain-text password might be logged through calls to Drupal's watchdog API. This vulnerability is mitigated by the fact that th...

6.5AI score
Exploits0References7
Drupal
Drupal
•added 2010/08/11 12:0 a.m.•9 views

SA-CONTRIB-2010-086 - Prepopulate - Access Bypass

The Prepopulate module provides the ability for form fields to be pre-populated via the request sent for the form. The module is vulnerable to access bypass which would allow a malicious user to change the value of fields they would not otherwise have access to alter. Versions affected Prepopulat...

7.1AI score
Exploits0References7
Drupal
Drupal
•added 2010/03/03 12:0 a.m.•9 views

SA-CONTRIB-2010-021 - AddThis Button - Cross Site Scripting

The AddThis module provides an easy way to share content to over 230 supported services such as Facebook, Email and Twitter. The module did not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer addthis'...

6.2AI score
Exploits0References7
Drupal
Drupal
•added 2010/01/20 12:0 a.m.•9 views

SA-CONTRIB-2010-009 - Block Class - Cross Site Scripting

Block Class module allows users to add classes to any block through the block's configuration interface. This release includes a fix for a cross-site scripting XSS vulnerability through which JavaScript could be inserted in the class field of a block's configuration interface. Versions affected...

5.9AI score
Exploits0References7
Drupal
Drupal
•added 2009/11/18 12:0 a.m.•9 views

SA-CONTRIB-2009-102 - PHPList Integration Module - Cross Site Request Forgery

The PHPList module provides a basic level of integration between Drupal and the PHPList mailing list application. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicious site can cause a user to unintentionally submit a form to a site where they are authenticate...

6.7AI score
Exploits0References6
Drupal
Drupal
•added 2009/11/04 12:0 a.m.•9 views

SA-CONTRIB-2009-092 - S5 Presentation Player Cross Site Scripting

The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site. The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user...

5.9AI score
Exploits0References6
Drupal
Drupal
•added 2009/11/04 12:0 a.m.•9 views

SA-CONTRIB-2009-090 - User Protect - Cross Site Request Forgery

User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections. The Drupal Forms API protects against cross site request forgeries...

6.8AI score
Exploits0References7
Drupal
Drupal
•added 2009/09/30 12:0 a.m.•9 views

SA-CONTRIB-2009-063 - XML sitemap - Cross Site Scripting

The XML sitemap module creates a sitemap that conforms to the sitemaps.org specification. It also allows users with the 'administer site configuration' permission to add additional custom links to be included in the sitemap. In the additional links interface, the module does not properly sanitize...

6.2AI score
Exploits0References5
Drupal
Drupal
•added 2009/05/20 12:0 a.m.•9 views

SA-CONTRIB-2009-030 - Email Verification - Information disclosure / Cross Site Scripting

The Email Verification module tries to verify user email addresses by talking to the appropriate SMTP host. It also allows the administrator to access a list of not confirmed email addresses. In the Drupal 5 version, this list is only protected by the "access content" permission, hence allowing a...

6.1AI score
Exploits0References5
Drupal
Drupal
•added 2009/02/28 12:0 a.m.•9 views

SA-CONTRIB-2009-008 - Taxonomy Theme - Cross site scripting

The Taxonomy Theme module allows a website adminstrator to change the theme of a given content item based on taxonomy, vocabulary or content type. It does not properly sanitize user-supplied data on a number of places. This allows users with the "administer taxonomy" permission, or, when tagging ...

5.9AI score
Exploits0References4
Drupal
Drupal
•added 2008/11/05 12:0 a.m.•9 views

SA-2008-069 - CCK for 5.x and 6.x - XSS vulnerabilities

The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using a web browser. Some field labels and content-type names are displayed without appropriate filtering in the administrative interface. Malicious users with the "administer content" permissio...

6AI score
Exploits0References3
Drupal
Drupal
•added 2008/10/15 12:0 a.m.•9 views

SA-2008-066 - Shindig-Integrator - Multiple vulnerabilities

Shindig-Integrator integrates the open social Shindig container with Drupal. The module contains numerous flaws. Among them are the following issues. Malicious users are able to insert arbitrary HTML and script code into certain module generated pages. Such a Cross site scripting vulnerability ca...

6.8AI score
Exploits0References3
Drupal
Drupal
•added 2005/10/30 12:0 a.m.•9 views

Unintentionally logging credit card transactions

Solar Designer of the Openwall Project reported a security vulnerability in the contributed authorizenet module which is part of the ecommerce package. Credit card information was being stored in a system log file. The system should not be saving this information. Versions affected Please check t...

5.4AI score
Exploits0References5
Drupal
Drupal
•added 2005/10/03 12:0 a.m.•9 views

SQL injection and PHP code execution

Wolfgang Ziegler has discovered multiple security vulnerabilities in the contributed flexinode module. Versions affected Please check the CVS $Id$ fields in the following files to determine whether the version of the flexinode module you are running is vulnerable. All versions older than the...

5.4AI score
Exploits0References5
Drupal
Drupal
•added 2026/06/24 12:0 a.m.•8 views

Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051

This module enables you to collect feedback from your site visitors on content pages, presenting Yes/No buttons and providing dashboards for administrators to review the responses. The module doesn't sufficiently sanitize several administrator-configured response messages the "Yes response", "No...

5.8AI score0.00161EPSS
Exploits0References2
Drupal
Drupal
•added 2026/06/24 12:0 a.m.•8 views

AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056

This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools. The module does not sufficiently check the required permissions when a tool loads content entities. This vulnerability is mitigated by the fact that an agent must be configured to use the affected...

5.9AI score0.00142EPSS
Exploits0References4
Drupal
Drupal
•added 2026/06/24 12:0 a.m.•8 views

Advanced Content Feedback (aka admin_feedback) - Moderately critical - Access bypass / Insecure Direct Object Reference (IDOR) - SA-CONTRIB-2026-052

This module enables you to collect feedback from your site visitors on content pages, allowing them to optionally attach a free-text comment to their Yes/No vote. The module doesn't sufficiently verify authorization over the targeted feedback record when processing a comment submission. This...

5.8AI score0.00142EPSS
Exploits0References2
Drupal
Drupal
•added 2025/03/05 12:0 a.m.•8 views

Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur. This vulnerabili...

8.1CVSS5.6AI score0.00369EPSS
Exploits0References3
Drupal
Drupal
•added 2025/02/05 12:0 a.m.•8 views

OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013

This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling a client. This vulnerability is mitigated by the fact that an...

6.8CVSS5.6AI score0.00167EPSS
Exploits0References6
Drupal
Drupal
•added 2024/12/11 12:0 a.m.•8 views

Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

7.3CVSS7.1AI score0.00339EPSS
Exploits0References2
Drupal
Drupal
•added 2024/10/30 12:0 a.m.•8 views

OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056

Integrates your Drupal website with the Oh Dear monitoring app. Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module. This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthche...

5.3CVSS5.5AI score0.00297EPSS
Exploits0References6
Drupal
Drupal
•added 2024/10/23 12:0 a.m.•8 views

SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050

This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an...

5.4CVSS7AI score0.00213EPSS
Exploits0References6
Drupal
Drupal
•added 2024/10/09 12:0 a.m.•8 views

Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant...

9.1CVSS7.1AI score0.00347EPSS
Exploits0References6
Drupal
Drupal
•added 2024/10/09 12:0 a.m.•8 views

Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046

This module enables you to manage blocks from specific modules in the specific themes. The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/pluginid/theme" route "block.adminadd". The attacker can add the block to th...

8.8CVSS7AI score0.00331EPSS
Exploits0References7
Drupal
Drupal
•added 2024/10/02 12:0 a.m.•8 views

Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions. The module doesn't sufficiently check revision access before rendering a diff report for 1 nodes or ...

9.1CVSS7AI score0.00347EPSS
Exploits0References7
Drupal
Drupal
•added 2024/09/11 12:0 a.m.•8 views

File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for fileentity bundle types in addition to core filemanaged data. The module doesn't sufficiently ensure that folders exist within the private destination prior to writing to...

7.5CVSS7AI score0.00366EPSS
Exploits0References7
Drupal
Drupal
•added 2023/05/03 12:0 a.m.•8 views

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014

S3 File System s3fs provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service S3 or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web...

5.6AI score
Exploits0References4
Total number of security vulnerabilities1940