1940 matches found
Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037
Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed. This module allows a website to display embedded content such as photos or videos when a user posts a link to that resource, without having to parse the resource directly. Added...
Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001
This module enables users to create 'private' vocabularies. The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View...
jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052
jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library which was previously in Drupal 8 core, but has since been removed from core and moved to this module. As part of the jQuery UI 1.13.2 update, the jQuery UI project...
Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093
This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. if certain administrative routes should be access controlled, defaulting to...
Webform Report - Critical - Unsupported - SA-CONTRIB-2019-086
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065
This module that allows you to store external images on your server and apply your own Image Styles. The module exposes cookies to external sites when making external image requests. This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from...
Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055
This module enables you to add and manage additional custom permissions through the administration UI. The module doesn't sufficiently check for the proper access permissions to this page. This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions...
Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038
Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form. Version 7.x of Simple hierarchical select doesn't sufficiently...
Commerce Core - Moderately critical - Access bypass - SA-CONTRIB-2018-057
This module enables you to build eCommerce websites and applications with Drupal. The module doesn't sufficiently check access for some of its entity types...
Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054
This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value. The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used. This vulnerability is mitigated by th...
@Base - Critical - Unsupported - SA-CONTRIB-2017-040
Provide some more API for developer to work with Drupal 7. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...
Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025
Updates 2017-04-23 — This issue has been resolved with the release of rememberme 7.x-1.1 Remember me is a module that allows users to check "Remember me" when logging in. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed ...
RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040
This module enables you to expose Drupal entities as RESTful web services. RESTWS alters the default page callbacks for entities to provide additional functionality. A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution. There...
SA-CONTRIB-2014-039 - Revisioning - Access Bypass
This module enables you to manage publication workflows whereby new, not publicly visible revisions of existing published content may be created by an author for review, while the current revision remains live to the public. The new revision does not go live until it is approved by a moderator wi...
SA-CONTRIB-2012-137 - Heartbeat - Cross Site Request Forgery (CSRF) in heartbeat_comments
This module enables you to display activity for events on a site. The sub-modules heartbeatcomments and shouts don't sufficiently check the heartbeat comment post values making it possible for an attacker to cause a user to unknowingly make comments. CVE: Requested Versions affected...
SA-CONTRIB-2012-120 - Monthly Archive by Node Type - Access Bypass (unsupported)
This module generates a monthly archive and block for specified node types, as well as an archive and block for whichever collection of node types you specify. The module doesn't sufficiently ensure node access for sites that use a node access system. This vulnerability is mitigated by the fact...
SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS)
This module enables you to integrate Campaign Monitor into Drupal so you can give users the ability to subscribe and unsubscribe for your Campaign Monitor lists. The module doesn't sufficiently validate strings entered in the administration interface. This vulnerability is mitigated by the fact...
SA-CONTRIB-2011-047 - OG Features access bypass
OG Features provides a mechanism for groups to enable or disable certain bundles of functionality, of features, within the groups they administer. The module is able to turn components on and off within given groups by overriding the access callbacks of every menu item, and checking conditions...
SA-CONTRIB-2011-042 Views Bulk Operations - Cross Site Scripting
The Views Bulk Operations VBO module allows actions and rules to be run on the selected views rows nodes, terms, user, etc. It also bundles several convenient actions. One of those actions allows the bulk modification of taxonomy terms on a node. When using the "Modify node taxonomy terms" action...
SA-CONTRIB-2011-036 - Addresses - Cross Site Scripting
This module enables you to link your users and contents to physical addresses. The module doesn't sufficiently filter output when displaying an address. This vulnerability is mitigated by the fact that the module doesn't use the single line display by default, an administrator has to enable that...
SA-CONTRIB-2011-031 - SunMailer - Access bypass
SunMailer Newsletter creates an email newsletter that users can subscribe to. The module includes a page where authenticated users can view and/or edit their newsletter subscription. Access to this page was accidentally granted to anonymous users, creating an access bypass that disclosed all user...
SA-CONTRIB-2011-028 - Simple Clean - Cross Site Scripting
Simple Clean is a simple and stripped clean theme for Drupal. The theme contains a cross site scripting XSS vulnerability that can be exploited when posting comments. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post comments". Versions affect...
SA-CONTRIB-2011-001 - Webform - SQL Injection
The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems. The module does not properly use the database API, leading to an SQL Injection...
SA-CONTRIB-2010-091 - Mollom - Information Disclosure
The Mollom module provides a combination of CAPTCHA challenges with text analysis to intelligently block spam. In some configurations, sensitive user data e.g., a user's plain-text password might be logged through calls to Drupal's watchdog API. This vulnerability is mitigated by the fact that th...
SA-CONTRIB-2010-086 - Prepopulate - Access Bypass
The Prepopulate module provides the ability for form fields to be pre-populated via the request sent for the form. The module is vulnerable to access bypass which would allow a malicious user to change the value of fields they would not otherwise have access to alter. Versions affected Prepopulat...
SA-CONTRIB-2010-021 - AddThis Button - Cross Site Scripting
The AddThis module provides an easy way to share content to over 230 supported services such as Facebook, Email and Twitter. The module did not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer addthis'...
SA-CONTRIB-2010-009 - Block Class - Cross Site Scripting
Block Class module allows users to add classes to any block through the block's configuration interface. This release includes a fix for a cross-site scripting XSS vulnerability through which JavaScript could be inserted in the class field of a block's configuration interface. Versions affected...
SA-CONTRIB-2009-102 - PHPList Integration Module - Cross Site Request Forgery
The PHPList module provides a basic level of integration between Drupal and the PHPList mailing list application. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicious site can cause a user to unintentionally submit a form to a site where they are authenticate...
SA-CONTRIB-2009-092 - S5 Presentation Player Cross Site Scripting
The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site. The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user...
SA-CONTRIB-2009-090 - User Protect - Cross Site Request Forgery
User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections. The Drupal Forms API protects against cross site request forgeries...
SA-CONTRIB-2009-063 - XML sitemap - Cross Site Scripting
The XML sitemap module creates a sitemap that conforms to the sitemaps.org specification. It also allows users with the 'administer site configuration' permission to add additional custom links to be included in the sitemap. In the additional links interface, the module does not properly sanitize...
SA-CONTRIB-2009-030 - Email Verification - Information disclosure / Cross Site Scripting
The Email Verification module tries to verify user email addresses by talking to the appropriate SMTP host. It also allows the administrator to access a list of not confirmed email addresses. In the Drupal 5 version, this list is only protected by the "access content" permission, hence allowing a...
SA-CONTRIB-2009-008 - Taxonomy Theme - Cross site scripting
The Taxonomy Theme module allows a website adminstrator to change the theme of a given content item based on taxonomy, vocabulary or content type. It does not properly sanitize user-supplied data on a number of places. This allows users with the "administer taxonomy" permission, or, when tagging ...
SA-2008-069 - CCK for 5.x and 6.x - XSS vulnerabilities
The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using a web browser. Some field labels and content-type names are displayed without appropriate filtering in the administrative interface. Malicious users with the "administer content" permissio...
SA-2008-066 - Shindig-Integrator - Multiple vulnerabilities
Shindig-Integrator integrates the open social Shindig container with Drupal. The module contains numerous flaws. Among them are the following issues. Malicious users are able to insert arbitrary HTML and script code into certain module generated pages. Such a Cross site scripting vulnerability ca...
Unintentionally logging credit card transactions
Solar Designer of the Openwall Project reported a security vulnerability in the contributed authorizenet module which is part of the ecommerce package. Credit card information was being stored in a system log file. The system should not be saving this information. Versions affected Please check t...
SQL injection and PHP code execution
Wolfgang Ziegler has discovered multiple security vulnerabilities in the contributed flexinode module. Versions affected Please check the CVS $Id$ fields in the following files to determine whether the version of the flexinode module you are running is vulnerable. All versions older than the...
Advanced Content Feedback (aka admin_feedback) - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-051
This module enables you to collect feedback from your site visitors on content pages, presenting Yes/No buttons and providing dashboards for administrators to review the responses. The module doesn't sufficiently sanitize several administrator-configured response messages the "Yes response", "No...
AI Agents - Less critical - Access bypass - SA-CONTRIB-2026-056
This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools. The module does not sufficiently check the required permissions when a tool loads content entities. This vulnerability is mitigated by the fact that an agent must be configured to use the affected...
Advanced Content Feedback (aka admin_feedback) - Moderately critical - Access bypass / Insecure Direct Object Reference (IDOR) - SA-CONTRIB-2026-052
This module enables you to collect feedback from your site visitors on content pages, allowing them to optionally attach a free-text comment to their Yes/No vote. The module doesn't sufficiently verify authorization over the targeted feedback record when processing a comment submission. This...
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur. This vulnerabili...
OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013
This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling a client. This vulnerability is mitigated by the fact that an...
Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056
Integrates your Drupal website with the Oh Dear monitoring app. Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module. This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthche...
SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050
This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an...
Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045
This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant...
Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046
This module enables you to manage blocks from specific modules in the specific themes. The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/pluginid/theme" route "block.adminadd". The attacker can add the block to th...
Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042
This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions. The module doesn't sufficiently check revision access before rendering a diff report for 1 nodes or ...
File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040
This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for fileentity bundle types in addition to core filemanaged data. The module doesn't sufficiently ensure that folders exist within the private destination prior to writing to...
S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014
S3 File System s3fs provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service S3 or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web...