Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Open Social is a Drupal distribution for online communities, which ships with a default optional module socialfileprivate to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem. For installations of Open Social prior to version 11.8....

Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069

This module provides a field formatter for the field type 'file' called Table of files with download all link . The module had vulnerabilities allowing a user to download files they normally should not be able to download...

Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances. Only sites with the Overlay module enabled are affected by this vulnerability...

Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046

This module enables you to manage blocks from specific modules in the specific themes. The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/pluginid/theme" route "block.adminadd". The attacker can add the block to th...

Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047

This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting XSS vulnerability. The vulnerability exists in the Facets Summary submodule. If you do not use that sub module...

Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant...

Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions. The module doesn't sufficiently check revision access before rendering a diff report for 1 nodes or ...

Security Kit - Less critical - Denial of Service - SA-CONTRIB-2024-039

This module provides Drupal with various security-hardening options, for example by emitting various configurable HTTP response headers. The module doesn't sufficiently validate input in Content Security Policy CSP violation reports. This can cause errors when a logging module e.g. dblog or syslo...

Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content. The module doesn't sufficiently check if a user has access to some URLs before rendering them as links. This vulnerability is mitigated by the fact that an attacker must...

Content Entity Clone - Moderately critical - Information Disclosure - SA-CONTRIB-2024-035

This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle. The module doesn't properly check the user access to the original entity, allowing users to create a new entity they have permission to create...

Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038

Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form. Version 7.x of Simple hierarchical select doesn't sufficiently...

Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024

KCFinder is a multi-language file / image manager you can use to easily select, insert, upload and arrange images, flash movies, and other kinds of files. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintaine...

ComScore direct tag - Less critical - Cross site scripting - SA-CONTRIB-2017-095

This module enables you to use the comScore Direct analytics system on a site. The module doesn't sufficiently sanitize one of the configuration variables prior to rendering it. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer comScore...

CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073

This module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments. The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack. This...

services_views - Unsupported - SA-CONTRIB-2017-062

Update A new maintainer has resolved this issue, please read The release notes for more information This module provides views support for the Services module. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the...

Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006

This module enables you to make credit card payments for Drupal Commerce orders via the Authorize.Net payment gateway using either their SIM hosted payment page or DPM direct post method mechanisms. The module doesn't sufficiently protect against the premature triggering of order completion witho...

SA-CONTRIB-2014-125 - Organic Groups Menu - Access bypass

This module enables you to associate menus with Organic Groups OG. It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc. The module doesn't sufficiently check the menu parameters passed...

SA-CONTRIB-2014-107 - Scheduler - Cross Site Scripting

The Scheduler module allows nodes to be published and unpublished on specified dates. The module allows administrators to provide additional help text on the content editing form when scheduling is enabled. The module doesn't sufficiently filter the help text which could lead to a Cross Site...

SA-CONTRIB-2014-064 -Course - Access bypass

This module enables you to create e-learning courses with any number of requirements for completion. A "Course object" is a relationship entity between a Course and a learning object, such as a Node. The module doesn't sufficiently check access on Course object edit forms. The configuration optio...

SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS)

This module enables you to integrate Campaign Monitor into Drupal so you can give users the ability to subscribe and unsubscribe for your Campaign Monitor lists. The module doesn't sufficiently validate strings entered in the administration interface. This vulnerability is mitigated by the fact...

SA-CONTRIB-2011-046 - Echo - Multiple Vulnerabilities

The Echo module generates a fully-themed Drupal page, returning the rendered page as a text string and allowing other modules to style an HTML message as if it had been generated by the live website. The module does not properly sanitize user-supplied content, resulting in a Cross-Site Scripting...

SA-CONTRIB-2011-043 - Petition Node - Cross Site Scripting

Petition node module allows the creation of petition nodes to collect signatures to show support for a cause. The module contains a cross site scripting XSS vulnerability that can be exploited when signing a petition. This vulnerability is mitigated by the fact that it normally requires the 'sign...

SA-CONTRIB-2011-042 Views Bulk Operations - Cross Site Scripting

The Views Bulk Operations VBO module allows actions and rules to be run on the selected views rows nodes, terms, user, etc. It also bundles several convenient actions. One of those actions allows the bulk modification of taxonomy terms on a node. When using the "Modify node taxonomy terms" action...

SA-CONTRIB-2011-031 - SunMailer - Access bypass

SunMailer Newsletter creates an email newsletter that users can subscribe to. The module includes a page where authenticated users can view and/or edit their newsletter subscription. Access to this page was accidentally granted to anonymous users, creating an access bypass that disclosed all user...

SA-CONTRIB-2011-028 - Simple Clean - Cross Site Scripting

Simple Clean is a simple and stripped clean theme for Drupal. The theme contains a cross site scripting XSS vulnerability that can be exploited when posting comments. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post comments". Versions affect...

SA-CONTRIB-2010-086 - Prepopulate - Access Bypass

The Prepopulate module provides the ability for form fields to be pre-populated via the request sent for the form. The module is vulnerable to access bypass which would allow a malicious user to change the value of fields they would not otherwise have access to alter. Versions affected Prepopulat...

SA-CONTRIB-2010-007 - Control Panel - Cross Site Scripting

The Control Panel module enables users to add a new graphical control panel page. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer blocks' permission are able to exploit this...

SA-CONTRIB-2009-090 - User Protect - Cross Site Request Forgery

User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections. The Drupal Forms API protects against cross site request forgeries...

SA-CONTRIB-2009-027 - Printer, e-mail and PDF versions - Cross-site scripting

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are valid in the UTF-...

Drupal core - Moderately critical - Improper validation - SA-CORE-2026-009

The JSON:API and REST modules allow you to upload image files to image fields. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the...

Drupal core - Critical - PHP object injection - SA-CORE-2026-005

SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services. The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain...

Composer - Critical - Unsupported - SA-CONTRIB-2026-046

The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read:...

CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081

The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor. The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading...

Advanced File Destination - Critical - Multiple vulnerabilities - SA-CONTRIB-2025-057

The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads. The module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The projec...

Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035

Stage File Proxy is a general solution for getting production files on a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources. This...

Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur. This vulnerabili...

OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013

This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling a client. This vulnerability is mitigated by the fact that an...

Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061

This module allows users to export nodes and then import it into another Drupal installation, or on the same site. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which could results in Remote Code Execution via PHP Object Injection...

SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050

This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an...

Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048

This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not sufficiently protect some routes against a Cross Site Request Forgery attack. This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the...

File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for fileentity bundle types in addition to core filemanaged data. The module doesn't sufficiently ensure that folders exist within the private destination prior to writing to...

Swift Mailer (abandoned) - Moderately critical - Access bypass - SA-CONTRIB-2024-006

The Drupal Swift Mailer module extends the basic e-mail sending functionality provided by Drupal by delegating all e-mail handling to the Swift Mailer library. This enables your site to take advantage of the many features which the Swift Mailer library provides. The module could allow an attacker...

highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043

Provides highlight.php integration to Drupal, allowing blocks to be automatically highlighted with the correct language. The module's Twig function doesn't sufficiently filter user-entered data...

Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041

This module makes PatternLab's custom Twig functions available to Drupal theming. The module's included examples don't sufficiently filter data. This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme...

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

This module enables users to create 'private' vocabularies. The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View...

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2022-057

This module enables you to utilize S3-compatible storage as a Drupal filesystem. The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket. This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary...

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library which was previously in Drupal 8 core, but has since been removed from core and moved to this module. As part of the jQuery UI 1.13.2 update, the jQuery UI project...