1940 matches found
Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Expand collapse formatter - Critical - Unsupported - SA-CONTRIB-2019-011
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...
Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073
The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users. The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other...
XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053
This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date. The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution...
SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030
Update: 2018-06-01 A new maintainer has stepped forward to maintain this module and has put out a new release. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module...
Multi-Step Registration - Critical - Unsupported Module - SA-CONTRIB-2018-023
With Multi-Step Registration you can create multi-step wizard user account registration forms. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read:...
KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024
KCFinder is a multi-language file / image manager you can use to easily select, insert, upload and arrange images, flash movies, and other kinds of files. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintaine...
ComScore direct tag - Less critical - Cross site scripting - SA-CONTRIB-2017-095
This module enables you to use the comScore Direct analytics system on a site. The module doesn't sufficiently sanitize one of the configuration variables prior to rendering it. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer comScore...
CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073
This module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments. The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack. This...
services_views - Unsupported - SA-CONTRIB-2017-062
Update A new maintainer has resolved this issue, please read The release notes for more information This module provides views support for the Services module. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the...
SalesCloud - Critical - Unsupported - SA-CONTRIB-2017-008
This module Connects Drupal to SalesCloud's API, a Commerce Platform as a Service. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All versions Drupal core is not affected. If you do not use th...
Drupal Commerce - Less Critical - Information disclosure - SA-CONTRIB-2016-019
This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field's autocomplete widget. As you type in the textfield, the...
Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006
This module enables you to make credit card payments for Drupal Commerce orders via the Authorize.Net payment gateway using either their SIM hosted payment page or DPM direct post method mechanisms. The module doesn't sufficiently protect against the premature triggering of order completion witho...
SA-CONTRIB-2014-125 - Organic Groups Menu - Access bypass
This module enables you to associate menus with Organic Groups OG. It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc. The module doesn't sufficiently check the menu parameters passed...
SA-CONTRIB-2014-107 - Scheduler - Cross Site Scripting
The Scheduler module allows nodes to be published and unpublished on specified dates. The module allows administrators to provide additional help text on the content editing form when scheduling is enabled. The module doesn't sufficiently filter the help text which could lead to a Cross Site...
SA-CONTRIB-2014-064 -Course - Access bypass
This module enables you to create e-learning courses with any number of requirements for completion. A "Course object" is a relationship entity between a Course and a learning object, such as a Node. The module doesn't sufficiently check access on Course object edit forms. The configuration optio...
SA-CONTRIB-2013-058 - MRBS - Abandoned - Mutliple vulnerabilities
MRBS is a free, GPL, web application using PHP and MySQL/pgsql for booking meeting rooms or other resources. The module doesn't sufficiently filter user supplied data when creating queries which leads to a SQL injection vulnerability. CVE identifiers issued ACVE identifier will be requested, and...
SA-CONTRIB-2012-114 - Campaign Monitor - Cross Site Scripting (XSS)
This module enables you to integrate Campaign Monitor into Drupal so you can give users the ability to subscribe and unsubscribe for your Campaign Monitor lists. The module doesn't sufficiently validate strings entered in the administration interface. This vulnerability is mitigated by the fact...
SA-CONTRIB-2011-043 - Petition Node - Cross Site Scripting
Petition node module allows the creation of petition nodes to collect signatures to show support for a cause. The module contains a cross site scripting XSS vulnerability that can be exploited when signing a petition. This vulnerability is mitigated by the fact that it normally requires the 'sign...
SA-CONTRIB-2011-046 - Echo - Multiple Vulnerabilities
The Echo module generates a fully-themed Drupal page, returning the rendered page as a text string and allowing other modules to style an HTML message as if it had been generated by the live website. The module does not properly sanitize user-supplied content, resulting in a Cross-Site Scripting...
SA-CONTRIB-2011-031 - SunMailer - Access bypass
SunMailer Newsletter creates an email newsletter that users can subscribe to. The module includes a page where authenticated users can view and/or edit their newsletter subscription. Access to this page was accidentally granted to anonymous users, creating an access bypass that disclosed all user...
SA-CONTRIB-2011-028 - Simple Clean - Cross Site Scripting
Simple Clean is a simple and stripped clean theme for Drupal. The theme contains a cross site scripting XSS vulnerability that can be exploited when posting comments. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "post comments". Versions affect...
SA-CONTRIB-2011-019 - Menu Access - Cross Site Scripting
The Menu Access module provides global, menu specific, and per menu item security permissions by role and user account. The Menu Access module contains a cross site scripting XSS vulnerability that can be exploited when a specially formatted menu description is viewed. This could result in...
SA-CONTRIB-2011-007 - Userpoints Cross Site Scripting
The Userpoints module allows users to gain points through specific actions like contributing content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative...
SA-CONTRIB-2010-053 - External Link Page - Cross Site Scripting (XSS)
The External Link Page provides a content filter that redirects external links to a customizable page. This page informs the user that they are about to leave the site and then redirects them. The module does not sanitise data input in it's administration page before displaying it on redirect...
SA-CONTRIB-2010-033 - Taxonomy Filter - Cross Site Scripting (XSS)
The Taxonomy Filter module enables users to filter node listings by multiple taxonomy terms across multiple vocabularies. Vocabulary names, terms, and filter menus are not sanitized, creating a Cross Site Scripting XSS vulnerability. Exploiting this vulnerability would allow a malicious user to...
SA-CONTRIB-2010-007 - Control Panel - Cross Site Scripting
The Control Panel module enables users to add a new graphical control panel page. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer blocks' permission are able to exploit this...
SA-CONTRIB-2009-027 - Printer, e-mail and PDF versions - Cross-site scripting
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte sequences that are valid in the UTF-...
SA-2008-019 - Refine by Taxonomy - Cross site scripting
Refine by Taxonomy is a module that provides a taxonomy browsing user interface. Taxonomy terms are not escaped before display, making it possible to inject arbitrary HTML and script code into pages which contain the Refine by Taxonomy feature. This may lead to administrator access if certain...
Pathauto cross site scripting vulnerability
It is possible for a malicious user to execute XSS Cross Site Scripting by enticing a victim to click on a specially crafted link. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Please check the CVS $Id$ fields in the file...
Easylinks multiple vulnerabilities
Unescaped input is used directly in queries, allowing malicious users to execute SQL injection attacks. This may result in administrator privileges. It is also possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to...
DRUPAL-SA-2006-012: Jobsearch module
It is possible for a malicious user to inject SQL while searching for jobs or resumes using the Job Search module. Versions affected Please check the CVS $Id$ field in the file job.module to determine whether the version you are running is vulnerable. All 4.6 versions older than the following are...
DRUPAL-SA-2006-013: Recipe module
It is possible for a malicious user to insert and execute XSS, due to lack of validation on output. Versions affected Please check the CVS $Id$ field in the file recipe.module to determine whether the version you are running is vulnerable. Versions older than the following are vulnerable: // $Id:...
Raw Formatter [Meta Tag Formatter] - Critical - Unsupported - SA-CONTRIB-2026-077
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Location Selector - Critical - SQL Injection - SA-CONTRIB-2026-072
The Location Selector module provides a Views filter for selecting location values. One of the provided Views filters does not sufficiently sanitize values that may come from user input, resulting in a SQL injection vulnerability. This vulnerability is mitigated by the fact that a View must exist...
Ray Enterprise Translation - Moderately critical - Cross site request forgery - SA-CONTRIB-2026-071
The Lingotek Ray Enterprise Translation provides multilingual site management. The module fails to protect several state-changing administrative routes against Cross Site Request Forgery attacks. An attacker could trick a privileged user into visiting a crafted page that triggers actions such as...
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067
This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently enforce permissions on certain endpoints. Attackers may be able to trigger workflow execution incurring LLM spend and tool side effects or send messages into other...
Drupal Canvas - Moderately critical - Improper validation - SA-CONTRIB-2026-066
The Canvas module allow you to upload image files via a custom API. The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image. Certain web-server configurations may serve the uploaded file...
AI Agents - Moderately critical - Information disclosure, Access bypass - SA-CONTRIB-2026-057
This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools. Under certain circumstances, the agent inherits deterministic parameters when invoking the same tool in one request, which can lead to information disclosure...
WissKI - Critical - Access bypass - SA-CONTRIB-2026-059
The module adds support for the mirador viewer in WissKI and enables annotations on images via the mirador viewer. It does not sufficiently check the submitted parameters via a route and writes these to the session object without further checks, which can lead to Access Bypass. This vulnerability...
Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
The optional Paragraphs Library module allows the reuse of paragraphs in multiple places. The module doesn't sufficiently restrict access to direct child paragraphs of library items through API endpoints. This vulnerability is mitigated by the fact the paragraphslibrary module must be in use and...
OpenAI Provider - Moderately critical - Server-side Request Forgery - SA-CONTRIB-2026-053
This module enables you to use OpenAI as a provider for the AI module. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have the access to change the host url...
Salesforce Suite - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-063
The Salesforce Suite of modules integrates Drupal with Salesforce. The Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker's Salesforce account. This vulnerabili...
AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055
This module enables you to utilize an agent to use Drupal core actions tools with bypassed access. Certain Drupal core actions, exposed as agent tools did not have correct access validation, and some core actions were missing associated access-level definitions. This vulnerability is mitigated by...
Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058
This module enables you to take payments through the Global Payments / Realex Hosted Payment Page HPP, either via a lightbox iframe or via a full-page redirect. When the gateway is configured with the redirect payment method, the module doesn't sufficiently verify the authenticity of the payment...
AI (Artificial Intelligence) - Moderately critical - Information Disclosure / Cross-site Scripting - SA-CONTRIB-2026-054
The module and certain submodules AI Automators, AI Translate, AI API Explorer, AI Content Suggestions provide the ability to use an LLM to generate HTML or Markdown and preview it in a browser. Under certain circumstances, rendering of this HTML can lead to Cross Site Scripting, or exposing secr...
Advanced File Destination - Critical - Multiple vulnerabilities - SA-CONTRIB-2025-057
The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads. The module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The projec...
Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035
Stage File Proxy is a general solution for getting production files on a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources. This...
Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048
This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not sufficiently protect some routes against a Cross Site Request Forgery attack. This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the...
highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043
Provides highlight.php integration to Drupal, allowing blocks to be automatically highlighted with the correct language. The module's Twig function doesn't sufficiently filter user-entered data...