Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2019/01/23 12:0 a.m.7 views

Nodeaccess - Critical - Unsupported - SA-CONTRIB-2019-009

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2019/01/23 12:0 a.m.7 views

Expand collapse formatter - Critical - Unsupported - SA-CONTRIB-2019-011

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2019/01/23 12:0 a.m.7 views

Webform Table Element - Critical - Unsupported - SA-CONTRIB-2019-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2018/06/06 12:0 a.m.7 views

Mollom - Critical - Unsupported - SA-CONTRIB-2018-038

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466. The security team marks all unsupported projects critical...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2018/05/23 12:0 a.m.7 views

Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028

Update: 2018-06-03 A new maintainer has stepped forward and this project now has a stable release. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please rea...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2018/02/14 12:0 a.m.7 views

Entity Backup - Critical - Module Unsupported - SA-CONTRIB-2018-012

The main purpose of the Entity Backup module is to keep a backup of deleted Drupal core entities and perform recovery of them. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2017/12/20 12:0 a.m.7 views

Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type. The security team is marking this module unsupported. There is a known security issue...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2013/10/16 3:39 p.m.7 views

SA-CONTRIB-2013-079 - Context - Multiple Vulnerabilities

Context allows you to manage contextual conditions and reactions for different portions of your site This advisory covers two separate issues. Arbitrary PHP Code Execution The first, and more severe issue Highly Critical status, is that the module allows execution of PHP code via manipulation of ...

6AI score
Exploits0References12
Drupal
Drupal
added 2010/08/11 12:0 a.m.7 views

SA-CONTRIB-2010-086 - Prepopulate - Access Bypass

The Prepopulate module provides the ability for form fields to be pre-populated via the request sent for the form. The module is vulnerable to access bypass which would allow a malicious user to change the value of fields they would not otherwise have access to alter. Versions affected Prepopulat...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2009/11/04 12:0 a.m.7 views

SA-CONTRIB-2009-090 - User Protect - Cross Site Request Forgery

User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections. The Drupal Forms API protects against cross site request forgeries...

6.8AI score
Exploits0References7
Drupal
Drupal
added 2006/08/08 12:0 a.m.7 views

Revision to DRUPAL-SA-2006-013 - Recipe

It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output from the contributed Recipe module. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. This is a revision to...

5.6AI score
Exploits0References5
Drupal
Drupal
added 6 days ago6 views

AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076

The AI SEO/GEO Analyzer module generates SEO/GEO analysis reports by sending content of an entity including its comments to an LLM, then converts the model's Markdown response to HTML and stores it for display to privileged users. The generated HTML was rendered without passing through Drupal's...

6AI score0.00254EPSS
Exploits0References2
Drupal
Drupal
added 2026/07/01 12:0 a.m.6 views

FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068

This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently re-evaluate a human-in-the-loop approval gate where the workflow iterates more than once. This may result in execution of workflows that were not intended by the use...

6.1AI score0.0018EPSS
Exploits0References2
Drupal
Drupal
added 2024/12/11 12:0 a.m.6 views

Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass...

5.4CVSS6.7AI score0.00251EPSS
Exploits0References7
Drupal
Drupal
added 2022/12/14 12:0 a.m.6 views

H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

This module enables you to create interactive content. The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In...

5.6AI score
Exploits0References5
Drupal
Drupal
added 2022/05/04 12:0 a.m.6 views

Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039

The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

5.5AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.6 views

Exif - Critical - Remote code execution - SA-CONTRIB-2022-015

This module enables you to automatically scan images uploaded to the site to extract their meta data and store it in taxonomy structures. The module doesn't sufficiently protect against malicious files being used to attack the site. This vulnerability is mitigated by the fact that an attacker mus...

5.4AI score
Exploits0References9
Drupal
Drupal
added 2021/09/22 12:0 a.m.6 views

Client-side Hierarchical Select - Moderately critical - Cross-site scripting - SA-CONTRIB-2021-031

The module provides a field widget for selecting taxonomy terms in a hierarchical fashion. The module doesn't sanitize user input in certain cases, leading to a possible Cross-Site-Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with...

5.6AI score
Exploits0References6
Drupal
Drupal
added 2020/06/03 12:0 a.m.6 views

Services - Moderately critical - Access bypass - SA-CONTRIB-2020-022

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module's taxonomy term index resource doesn't take into consideration certain access control tags provided but unused by core, that certain contrib modules depend on. This...

7AI score
Exploits0References5
Drupal
Drupal
added 2019/05/22 12:0 a.m.6 views

Menu Item Extras - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-050

This module enables you to handle fields for Custom Menu Links. The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...

5.6AI score
Exploits0References7
Drupal
Drupal
added 2019/02/20 12:0 a.m.6 views

JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019

This resolves issues described in SA-CORE-2019-003 for this module...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2019/02/06 12:0 a.m.6 views

Login Alert - Moderately critical - Access bypass - SA-CONTRIB-2019-013

This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account. The module...

7AI score
Exploits0References6
Drupal
Drupal
added 2019/01/23 12:0 a.m.6 views

Image Annotator [Annotorious] - Critical - Unsupported - SA-CONTRIB-2019-006

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2018/10/17 12:0 a.m.6 views

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution. This issue is related to the Drupal Core...

8.1AI score
Exploits0References6
Drupal
Drupal
added 2018/06/06 12:0 a.m.6 views

AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2018/06/06 12:0 a.m.6 views

Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040

This module enables you to delete any types of entities in bulk. The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process. The access bypass vulnerability is...

7AI score
Exploits0References5
Drupal
Drupal
added 2018/05/23 12:0 a.m.6 views

Corporate Site - Critical - Unsupported - SA-CONTRIB-2018-032

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2018/05/23 12:0 a.m.6 views

iShopping - Critical - Unsupported - SA-CONTRIB-2018-033

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2018/05/23 12:0 a.m.6 views

TB Sirate - Critical - Unsupported - SA-CONTRIB-2018-035

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2018/05/23 12:0 a.m.7 views

Hotel - Critical - Unsupported - SA-CONTRIB-2018-034

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2018/05/23 12:0 a.m.6 views

TB Nucleus - Critical - Unsupported - SA-CONTRIB-2018-031

Update - 2018-09-26 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/nucleus/releases/7.x-1.6 to fix the security issue The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2018/04/25 12:0 a.m.6 views

DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022

This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard. The modules DRD and DRD Agent encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize...

7.4AI score
Exploits0References3
Drupal
Drupal
added 2018/02/14 12:0 a.m.6 views

VChess - Critical - Module Unsupported - SA-CONTRIB-2018-009

The Drupal VChess module allows users to play a chess game. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References3
Drupal
Drupal
added 2017/11/29 12:0 a.m.6 views

Services single sign-on client - Critical - Cross-site scripting - SA-CONTRIB-2017-087

This module allows users of a remote Services-enabled Drupal site to sign on to a second site with their credentials. The module does not sanitize information from the request before displaying it, thereby exposing a cross-site scripting vulnerability...

5.1AI score
Exploits0References6
Drupal
Drupal
added 2017/10/18 12:0 a.m.6 views

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-078

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness. The module doesn't sufficiently let users know a setting page should not be given to untrusted users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

5.5AI score
Exploits0References7
Drupal
Drupal
added 2013/10/16 6:39 p.m.6 views

SA-CONTRIB-2013-080 - Simplenews - Cross Site Scripting (XSS)

This module enables you to publish and send newsletters to lists of subscribers. The module also includes an API that other modules can use to register subscribers. The module doesn't sufficiently sanitize e-mail addresses prior to outputting. The provided forms sign-up, mass import, .. validate...

4.3CVSS5.5AI score0.02688EPSS
Exploits0References10
Drupal
Drupal
added 2010/08/04 12:0 a.m.6 views

SA-CONTRIB-2010-079 - Devel (Performance logging) - Cross Site Scripting

The devel project is a suite of modules for developers and themers. Within the devel project, there is the performance logging module. The module does not escape URLs comprised of node paths, leading to a Cross Site Scripting XSS vulnerability. Users with the permission to access the reports that...

5.3AI score
Exploits0References3
Drupal
Drupal
added 2010/06/23 12:0 a.m.6 views

SA-CONTRIB-2010-070 - Multiple vulnerabilities in multiple contributed modules

Versions affected and proposed solutions Easy Translator for Drupal 6.x The module is vulnerable to SQL injections. Solution: Disable the module. There is no safe version of the module to use. Block Queue for Drupal 6.x The Block Queue module allows users to create "queues" of blocks much like...

5.8AI score
Exploits0References10
Drupal
Drupal
added 2010/05/19 12:0 a.m.6 views

SA-CONTRIB-2010-053 - External Link Page - Cross Site Scripting (XSS)

The External Link Page provides a content filter that redirects external links to a customizable page. This page informs the user that they are about to leave the site and then redirects them. The module does not sanitise data input in it's administration page before displaying it on redirect...

4.8AI score
Exploits0References5
Drupal
Drupal
added 2009/10/28 12:0 a.m.6 views

SA-CONTRIB-2009-088 - Workflow Multiple Cross Site Scripting Vulnerabilities

The Workflow module enables sites to define flexible process management systems. Names of workflows and workflow states are not sanitised to display as plain text, leading to a Cross Site Scripting XSS vulnerability. Exploiting this vulnerability would allow a malicious user to gain full...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2009/10/20 12:0 a.m.6 views

SA-CONTRIB-2009-082 - Filefield module access bypass

The FileField module allows users to upload files through an AJAX-upload widget that can be added to content types through CCK. In the 3.1 version of FileField, the module would not restrict access to files based on node-access permissions when using Drupal core's private file system. Versions...

5.4AI score
Exploits0References5
Drupal
Drupal
added 2009/09/09 12:0 a.m.6 views

SA-CONTRIB-2009-056 - Node2Node, Node Browser, Subdomain Manager, Quota by role, Rest API with vulnerabilities, now abandoned

Multiple vulnerabilities have been found in the following modules which have been abandoned. Their releases have been unpublished and it is recommended that they be disabled and un-installed if in use. Modules Node2Node Node Browser Subdomain Manager Quota by role Rest API Drupal core is not...

5.5AI score
Exploits0References10
Drupal
Drupal
added 2006/10/26 12:0 a.m.6 views

Extended Tracker - SQL Injection

The contributed module Extended Tracker xtracker accepts parameters from URLs and uses those unescaped in SQL queries, allowing malicious users to execute SQL injection attacks. This may result in them gaining administrator privileges. Versions affected Please check the CVS $Id$ fields in the fil...

5.8AI score
Exploits0References3
Drupal
Drupal
added 2006/08/22 12:0 a.m.6 views

E-commerce Cross site scripting vulnerability

It is possible for a malicious user with the 'create products' permission to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. The create products permission is...

5.4AI score
Exploits0References4
Drupal
Drupal
added 2006/08/08 12:0 a.m.6 views

DRUPAL-SA-2006-015: Multiple vulnerabilities in Bibliography

Unescaped input is used directly in queries, allowing malicious users to execute SQL injection attacks. This may result in administrator access. It is also possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to...

5.8AI score
Exploits0References5
Drupal
Drupal
added 6 days ago5 views

Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070

The Login Disable module prevents users from logging in to your Drupal site unless they know the secret key to add to the end of the login form page. The module doesn't sufficiently protect the disabled login form from brute force attacks. Depending on the length of the key this could allow an...

5.8AI score0.00213EPSS
Exploits0References2
Drupal
Drupal
added 6 days ago5 views

ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074

The Events, Conditions, Actions ECA module's Render submodule enables you to build render arrays and render inline Twig templates as part of no-code ECA models. The module doesn't sufficiently sanitize template code when rendering, which can lead to information disclosure. This vulnerability is...

5.9AI score0.002EPSS
Exploits0References1
Drupal
Drupal
added 6 days ago5 views

Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9AI score0.00236EPSS
Exploits0References2
Drupal
Drupal
added 6 days ago5 views

Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073

The module doesn't sufficiently sanitize the Siteimprove Analytics identification code when inserting the JavaScript tracking code; this could be exploited to achieve Cross-Site Scripting XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

6AI score0.00186EPSS
Exploits0References2
Drupal
Drupal
added 6 days ago5 views

UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075

This module enables you to use Single Directory Components in site building views, field formatters, blocks, layouts and it improves the Developer Experience DX with SDC. The module doesn't sufficiently sanitize the markup passed to components under certain scenarios. This vulnerability is...

5.8AI score0.00254EPSS
Exploits0References2
Total number of security vulnerabilities1940