Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2019/02/20 12:0 a.m.8 views

Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2019/01/23 12:0 a.m.8 views

Expand collapse formatter - Critical - Unsupported - SA-CONTRIB-2019-011

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2018/10/31 12:0 a.m.8 views

Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073

The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users. The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2018/07/18 12:0 a.m.8 views

XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date. The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution...

7AI score
Exploits0References7
Drupal
Drupal
added 2018/05/23 12:0 a.m.8 views

SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030

Update: 2018-06-01 A new maintainer has stepped forward to maintain this module and has put out a new release. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2018/05/09 12:0 a.m.8 views

Multi-Step Registration - Critical - Unsupported Module - SA-CONTRIB-2018-023

With Multi-Step Registration you can create multi-step wizard user account registration forms. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read:...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2018/05/09 12:0 a.m.8 views

KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024

KCFinder is a multi-language file / image manager you can use to easily select, insert, upload and arrange images, flash movies, and other kinds of files. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintaine...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2017/12/20 12:0 a.m.8 views

ComScore direct tag - Less critical - Cross site scripting - SA-CONTRIB-2017-095

This module enables you to use the comScore Direct analytics system on a site. The module doesn't sufficiently sanitize one of the configuration variables prior to rendering it. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer comScore...

6.9AI score
Exploits0References4
Drupal
Drupal
added 2017/09/06 12:0 a.m.8 views

CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073

This module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments. The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack. This...

7AI score
Exploits0References13
Drupal
Drupal
added 2017/08/02 12:0 a.m.8 views

services_views - Unsupported - SA-CONTRIB-2017-062

Update A new maintainer has resolved this issue, please read The release notes for more information This module provides views support for the Services module. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2017/01/25 12:0 a.m.8 views

SalesCloud - Critical - Unsupported - SA-CONTRIB-2017-008

This module Connects Drupal to SalesCloud's API, a Commerce Platform as a Service. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All versions Drupal core is not affected. If you do not use th...

7.1AI score
Exploits0References10
Drupal
Drupal
added 2016/04/06 12:0 a.m.8 views

Drupal Commerce - Less Critical - Information disclosure - SA-CONTRIB-2016-019

This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field's autocomplete widget. As you type in the textfield, the...

7AI score
Exploits0References13
Drupal
Drupal
added 2016/02/17 12:0 a.m.8 views

Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006

This module enables you to make credit card payments for Drupal Commerce orders via the Authorize.Net payment gateway using either their SIM hosted payment page or DPM direct post method mechanisms. The module doesn't sufficiently protect against the premature triggering of order completion witho...

7AI score
Exploits0References11
Drupal
Drupal
added 2014/12/10 12:0 a.m.8 views

SA-CONTRIB-2014-125 - Organic Groups Menu - Access bypass

This module enables you to associate menus with Organic Groups OG. It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc. The module doesn't sufficiently check the menu parameters passed...

6.7AI score
Exploits0References14
Drupal
Drupal
added 2014/11/12 12:0 a.m.8 views

SA-CONTRIB-2014-107 - Scheduler - Cross Site Scripting

The Scheduler module allows nodes to be published and unpublished on specified dates. The module allows administrators to provide additional help text on the content editing form when scheduling is enabled. The module doesn't sufficiently filter the help text which could lead to a Cross Site...

6.2AI score
Exploits0References11
Drupal
Drupal
added 2014/06/18 12:0 a.m.8 views

SA-CONTRIB-2014-064 -Course - Access bypass

This module enables you to create e-learning courses with any number of requirements for completion. A "Course object" is a relationship entity between a Course and a learning object, such as a Node. The module doesn't sufficiently check access on Course object edit forms. The configuration optio...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2013/07/17 12:0 a.m.8 views

SA-CONTRIB-2013-058 - MRBS - Abandoned - Mutliple vulnerabilities

MRBS is a free, GPL, web application using PHP and MySQL/pgsql for booking meeting rooms or other resources. The module doesn't sufficiently filter user supplied data when creating queries which leads to a SQL injection vulnerability. CVE identifiers issued ACVE identifier will be requested, and...

8.2AI score
Exploits0References9
Drupal
Drupal
added 2012/07/18 12:0 a.m.8 views

SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS)

This module enables you to integrate Campaign Monitor into Drupal so you can give users the ability to subscribe and unsubscribe for your Campaign Monitor lists. The module doesn't sufficiently validate strings entered in the administration interface. This vulnerability is mitigated by the fact...

6.9AI score
Exploits0References10
Drupal
Drupal
added 2011/10/05 12:0 a.m.8 views

SA-CONTRIB-2011-043 - Petition Node - Cross Site Scripting

Petition node module allows the creation of petition nodes to collect signatures to show support for a cause. The module contains a cross site scripting XSS vulnerability that can be exploited when signing a petition. This vulnerability is mitigated by the fact that it normally requires the 'sign...

5.8AI score
Exploits0References10
Drupal
Drupal
added 2011/10/05 12:0 a.m.8 views

SA-CONTRIB-2011-046 - Echo - Multiple Vulnerabilities

The Echo module generates a fully-themed Drupal page, returning the rendered page as a text string and allowing other modules to style an HTML message as if it had been generated by the live website. The module does not properly sanitize user-supplied content, resulting in a Cross-Site Scripting...

5.9AI score
Exploits0References14
Drupal
Drupal
added 2011/07/20 12:0 a.m.8 views

SA-CONTRIB-2011-031 - SunMailer - Access bypass

SunMailer Newsletter creates an email newsletter that users can subscribe to. The module includes a page where authenticated users can view and/or edit their newsletter subscription. Access to this page was accidentally granted to anonymous users, creating an access bypass that disclosed all user...

6.9AI score
Exploits0References8
Drupal
Drupal
added 2011/07/06 12:0 a.m.8 views

SA-CONTRIB-2011-028 - Simple Clean - Cross Site Scripting

Simple Clean is a simple and stripped clean theme for Drupal. The theme contains a cross site scripting XSS vulnerability that can be exploited when posting comments. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post comments". Versions affect...

5.9AI score
Exploits0References9
Drupal
Drupal
added 2011/05/04 12:0 a.m.8 views

SA-CONTRIB-2011-019 - Menu Access - Cross Site Scripting

The Menu Access module provides global, menu specific, and per menu item security permissions by role and user account. The Menu Access module contains a cross site scripting XSS vulnerability that can be exploited when a specially formatted menu description is viewed. This could result in...

5.9AI score
Exploits0References10
Drupal
Drupal
added 2011/02/02 12:0 a.m.8 views

SA-CONTRIB-2011-007 - Userpoints Cross Site Scripting

The Userpoints module allows users to gain points through specific actions like contributing content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative...

6.3AI score
Exploits0References9
Drupal
Drupal
added 2010/05/19 12:0 a.m.8 views

SA-CONTRIB-2010-053 - External Link Page - Cross Site Scripting (XSS)

The External Link Page provides a content filter that redirects external links to a customizable page. This page informs the user that they are about to leave the site and then redirects them. The module does not sanitise data input in it's administration page before displaying it on redirect...

4.8AI score
Exploits0References5
Drupal
Drupal
added 2010/03/31 12:0 a.m.8 views

SA-CONTRIB-2010-033 - Taxonomy Filter - Cross Site Scripting (XSS)

The Taxonomy Filter module enables users to filter node listings by multiple taxonomy terms across multiple vocabularies. Vocabulary names, terms, and filter menus are not sanitized, creating a Cross Site Scripting XSS vulnerability. Exploiting this vulnerability would allow a malicious user to...

6.5AI score
Exploits0References5
Drupal
Drupal
added 2010/01/20 12:0 a.m.8 views

SA-CONTRIB-2010-007 - Control Panel - Cross Site Scripting

The Control Panel module enables users to add a new graphical control panel page. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer blocks' permission are able to exploit this...

6.2AI score
Exploits0References5
Drupal
Drupal
added 2009/05/13 12:0 a.m.8 views

SA-CONTRIB-2009-027 - Printer, e-mail and PDF versions - Cross-site scripting

When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are valid in the UTF-...

6AI score
Exploits0References7
Drupal
Drupal
added 2008/03/05 12:0 a.m.8 views

SA-2008-019 - Refine by Taxonomy - Cross site scripting

Refine by Taxonomy is a module that provides a taxonomy browsing user interface. Taxonomy terms are not escaped before display, making it possible to inject arbitrary HTML and script code into pages which contain the Refine by Taxonomy feature. This may lead to administrator access if certain...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2006/09/05 12:0 a.m.8 views

Pathauto cross site scripting vulnerability

It is possible for a malicious user to execute XSS Cross Site Scripting by enticing a victim to click on a specially crafted link. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Please check the CVS $Id$ fields in the file...

5.5AI score
Exploits0References5
Drupal
Drupal
added 2006/08/22 12:0 a.m.8 views

Easylinks multiple vulnerabilities

Unescaped input is used directly in queries, allowing malicious users to execute SQL injection attacks. This may result in administrator privileges. It is also possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to...

5.8AI score
Exploits0References4
Drupal
Drupal
added 2006/08/07 12:0 a.m.8 views

DRUPAL-SA-2006-012: Jobsearch module

It is possible for a malicious user to inject SQL while searching for jobs or resumes using the Job Search module. Versions affected Please check the CVS $Id$ field in the file job.module to determine whether the version you are running is vulnerable. All 4.6 versions older than the following are...

5.6AI score
Exploits0References2
Drupal
Drupal
added 2006/08/07 12:0 a.m.8 views

DRUPAL-SA-2006-013: Recipe module

It is possible for a malicious user to insert and execute XSS, due to lack of validation on output. Versions affected Please check the CVS $Id$ field in the file recipe.module to determine whether the version you are running is vulnerable. Versions older than the following are vulnerable: // $Id:...

5.4AI score
Exploits0References2
Drupal
Drupal
added 6 days ago7 views

Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9AI score0.00236EPSS
Exploits0References2
Drupal
Drupal
added 6 days ago7 views

Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072

The Location Selector module provides a Views filter for selecting location values. One of the provided Views filters does not sufficiently sanitize values that may come from user input, resulting in a SQL injection vulnerability. This vulnerability is mitigated by the fact that a View must exist...

6AI score0.00194EPSS
Exploits0References1
Drupal
Drupal
added 6 days ago7 views

Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071

The Lingotek Ray Enterprise Translation provides multilingual site management. The module fails to protect several state-changing administrative routes against Cross Site Request Forgery attacks. An attacker could trick a privileged user into visiting a crafted page that triggers actions such as...

5.9AI score0.00119EPSS
Exploits0References3
Drupal
Drupal
added 2026/07/01 12:0 a.m.7 views

FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067

This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently enforce permissions on certain endpoints. Attackers may be able to trigger workflow execution incurring LLM spend and tool side effects or send messages into other...

6.1AI score0.0018EPSS
Exploits0References2
Drupal
Drupal
added 2026/07/01 12:0 a.m.7 views

Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066

The Canvas module allow you to upload image files via a custom API. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the uploaded file...

5.8AI score0.00204EPSS
Exploits0References5
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

AI Agents - Moderately critical - Information disclosure, Access bypass - SA-CONTRIB-2026-057

This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools. Under certain circumstances, the agent inherits deterministic parameters when invoking the same tool in one request, which can lead to information disclosure...

5.8AI score0.00142EPSS
Exploits0References4
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

WissKI - Critical - Access bypass - SA-CONTRIB-2026-059

The module adds support for the mirador viewer in WissKI and enables annotations on images via the mirador viewer. It does not sufficiently check the submitted parameters via a route and writes these to the session object without further checks, which can lead to Access Bypass. This vulnerability...

5.9AI score0.00132EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061

The optional Paragraphs Library module allows the reuse of paragraphs in multiple places. The module doesn't sufficiently restrict access to direct child paragraphs of library items through API endpoints. This vulnerability is mitigated by the fact the paragraphslibrary module must be in use and...

5.8AI score0.00132EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

OpenAI Provider - Moderately critical - Server-side Request Forgery - SA-CONTRIB-2026-053

This module enables you to use OpenAI as a provider for the AI module. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have the access to change the host url...

5.9AI score0.00142EPSS
Exploits0References3
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063

The Salesforce Suite of modules integrates Drupal with Salesforce. The Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker's Salesforce account. This vulnerabili...

5.7AI score0.00097EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055

This module enables you to utilize an agent to use Drupal core actions tools with bypassed access. Certain Drupal core actions, exposed as agent tools did not have correct access validation, and some core actions were missing associated access-level definitions. This vulnerability is mitigated by...

5.8AI score0.00142EPSS
Exploits0References4
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058

This module enables you to take payments through the Global Payments / Realex Hosted Payment Page HPP, either via a lightbox iframe or via a full-page redirect. When the gateway is configured with the redirect payment method, the module doesn't sufficiently verify the authenticity of the payment...

5.9AI score0.0018EPSS
Exploits0References2
Drupal
Drupal
added 2026/06/24 12:0 a.m.7 views

AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054

The module and certain submodules AI Automators, AI Translate, AI API Explorer, AI Content Suggestions provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser. Under certain circumstances, rendering of this HTML can lead to Cross Site Scripting, or exposing secr...

5.9AI score0.00161EPSS
Exploits0References4
Drupal
Drupal
added 2025/05/14 12:0 a.m.7 views

Advanced File Destination - Critical - Multiple vulnerabilities - SA-CONTRIB-2025-057

The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads. The module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The projec...

5.6AI score
Exploits0References1
Drupal
Drupal
added 2025/04/16 12:0 a.m.7 views

Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035

Stage File Proxy is a general solution for getting production files on a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources. This...

5.9CVSS5.8AI score0.00315EPSS
Exploits0References2
Drupal
Drupal
added 2024/10/09 12:0 a.m.7 views

Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048

This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not sufficiently protect some routes against a Cross Site Request Forgery attack. This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the...

8.8CVSS7.1AI score0.00193EPSS
Exploits0References12
Drupal
Drupal
added 2023/09/06 12:0 a.m.7 views

highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043

Provides highlight.php integration to Drupal, allowing blocks to be automatically highlighted with the correct language. The module's Twig function doesn't sufficiently filter user-entered data...

5.4AI score
Exploits0References8
Total number of security vulnerabilities1940