Expire reset password link - Critical - Unsupported - SA-CONTRIB-2022-009

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2021-020

The Apigee Edge module allows connecting a Drupal site to Apigee Edge in order to build a developer portal. The module did not properly validate user access for data creation in certain circumstances...

Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

This module that allows you to store external images on your server and apply your own Image Styles. The module exposes cookies to external sites when making external image requests. This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from...

Expand collapse formatter - Critical - Unsupported - SA-CONTRIB-2019-011

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

Webform Table Element - Critical - Unsupported - SA-CONTRIB-2019-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073

The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users. The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other...

XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date. The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution...

Mollom - Critical - Unsupported - SA-CONTRIB-2018-038

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466. The security team marks all unsupported projects critical...

SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030

Update: 2018-06-01 A new maintainer has stepped forward to maintain this module and has put out a new release. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module...

Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028

Update: 2018-06-03 A new maintainer has stepped forward and this project now has a stable release. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please rea...

Multi-Step Registration - Critical - Unsupported Module - SA-CONTRIB-2018-023

With Multi-Step Registration you can create multi-step wizard user account registration forms. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read:...

Entity Backup - Critical - Module Unsupported - SA-CONTRIB-2018-012

The main purpose of the Entity Backup module is to keep a backup of deleted Drupal core entities and perform recovery of them. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to...

Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type. The security team is marking this module unsupported. There is a known security issue...

SalesCloud - Critical - Unsupported - SA-CONTRIB-2017-008

This module Connects Drupal to SalesCloud's API, a Commerce Platform as a Service. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All versions Drupal core is not affected. If you do not use th...

Drupal Commerce - Less Critical - Information disclosure - SA-CONTRIB-2016-019

This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field's autocomplete widget. As you type in the textfield, the...

SA-CONTRIB-2011-007 - Userpoints Cross Site Scripting

The Userpoints module allows users to gain points through specific actions like contributing content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative...

SA-CONTRIB-2009-088 - Workflow Multiple Cross Site Scripting Vulnerabilities

The Workflow module enables sites to define flexible process management systems. Names of workflows and workflow states are not sanitised to display as plain text, leading to a Cross Site Scripting XSS vulnerability. Exploiting this vulnerability would allow a malicious user to gain full...

SA-CONTRIB-2009-063 - XML sitemap - Cross Site Scripting

The XML sitemap module creates a sitemap that conforms to the sitemaps.org specification. It also allows users with the 'administer site configuration' permission to add additional custom links to be included in the sitemap. In the additional links interface, the module does not properly sanitize...

SA-2008-019 - Refine by Taxonomy - Cross site scripting

Refine by Taxonomy is a module that provides a taxonomy browsing user interface. Taxonomy terms are not escaped before display, making it possible to inject arbitrary HTML and script code into pages which contain the Refine by Taxonomy feature. This may lead to administrator access if certain...

Pathauto cross site scripting vulnerability

It is possible for a malicious user to execute XSS Cross Site Scripting by enticing a victim to click on a specially crafted link. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Please check the CVS $Id$ fields in the file...

DRUPAL-SA-2006-013: Recipe module

It is possible for a malicious user to insert and execute XSS, due to lack of validation on output. Versions affected Please check the CVS $Id$ field in the file recipe.module to determine whether the version you are running is vulnerable. Versions older than the following are vulnerable: // $Id:...

Unintentionally logging credit card transactions

Solar Designer of the Openwall Project reported a security vulnerability in the contributed authorizenet module which is part of the ecommerce package. Credit card information was being stored in a system log file. The system should not be saving this information. Versions affected Please check t...

Plotly.js Graphing - Critical - PHP object injection - SA-CONTRIB-2026-050

The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library. The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection...

Formatter Field - Critical - PHP object injection - SA-CONTRIB-2026-048

The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis. formatterfield stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can...

Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets. The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability...

Mother May I - Critical - Unsupported - SA-CONTRIB-2026-045

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass...

OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056

Integrates your Drupal website with the Oh Dear monitoring app. Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module. This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthche...

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014

S3 File System s3fs provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service S3 or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web...

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction. This vulnerability is mitigated by the fact that an attacker mu...

Client-side Hierarchical Select - Moderately critical - Cross-site scripting - SA-CONTRIB-2021-031

The module provides a field widget for selecting taxonomy terms in a hierarchical fashion. The module doesn't sanitize user input in certain cases, leading to a possible Cross-Site-Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with...

Services - Moderately critical - Access bypass - SA-CONTRIB-2020-022

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module's taxonomy term index resource doesn't take into consideration certain access control tags provided but unused by core, that certain contrib modules depend on. This...

JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019

This resolves issues described in SA-CORE-2019-003 for this module...

Login Alert - Moderately critical - Access bypass - SA-CONTRIB-2019-013

This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account. The module...

Nodeaccess - Critical - Unsupported - SA-CONTRIB-2019-009

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

Image Annotator [Annotorious] - Critical - Unsupported - SA-CONTRIB-2019-006

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

This module enables you to delete any types of entities in bulk. The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process. The access bypass vulnerability is...

Corporate Site - Critical - Unsupported - SA-CONTRIB-2018-032

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...

Hotel - Critical - Unsupported - SA-CONTRIB-2018-034

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...

iShopping - Critical - Unsupported - SA-CONTRIB-2018-033

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...

TB Sirate - Critical - Unsupported - SA-CONTRIB-2018-035

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard. The modules DRD and DRD Agent encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize...

SA-CONTRIB-2013-079 - Context - Multiple Vulnerabilities

Context allows you to manage contextual conditions and reactions for different portions of your site This advisory covers two separate issues. Arbitrary PHP Code Execution The first, and more severe issue Highly Critical status, is that the module allows execution of PHP code via manipulation of ...

SA-CONTRIB-2010-079 - Devel (Performance logging) - Cross Site Scripting

The devel project is a suite of modules for developers and themers. Within the devel project, there is the performance logging module. The module does not escape URLs comprised of node paths, leading to a Cross Site Scripting XSS vulnerability. Users with the permission to access the reports that...

SA-CONTRIB-2010-053 - External Link Page - Cross Site Scripting (XSS)

The External Link Page provides a content filter that redirects external links to a customizable page. This page informs the user that they are about to leave the site and then redirects them. The module does not sanitise data input in it's administration page before displaying it on redirect...

SA-CONTRIB-2009-082 - Filefield module access bypass

The FileField module allows users to upload files through an AJAX-upload widget that can be added to content types through CCK. In the 3.1 version of FileField, the module would not restrict access to files based on node-access permissions when using Drupal core's private file system. Versions...

SA-CONTRIB-2009-056 - Node2Node, Node Browser, Subdomain Manager, Quota by role, Rest API with vulnerabilities, now abandoned

Multiple vulnerabilities have been found in the following modules which have been abandoned. Their releases have been unpublished and it is recommended that they be disabled and un-installed if in use. Modules Node2Node Node Browser Subdomain Manager Quota by role Rest API Drupal core is not...

Revision to DRUPAL-SA-2006-013 - Recipe

It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output from the contributed Recipe module. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. This is a revision to...

DRUPAL-SA-2006-012: Jobsearch module

It is possible for a malicious user to inject SQL while searching for jobs or resumes using the Job Search module. Versions affected Please check the CVS $Id$ field in the file job.module to determine whether the version you are running is vulnerable. All 4.6 versions older than the following are...

SQL injection and PHP code execution

Wolfgang Ziegler has discovered multiple security vulnerabilities in the contributed flexinode module. Versions affected Please check the CVS $Id$ fields in the following files to determine whether the version of the flexinode module you are running is vulnerable. All versions older than the...