1940 matches found
Nodeaccess - Critical - Unsupported - SA-CONTRIB-2019-009
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...
Expand collapse formatter - Critical - Unsupported - SA-CONTRIB-2019-011
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...
Webform Table Element - Critical - Unsupported - SA-CONTRIB-2019-005
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...
Mollom - Critical - Unsupported - SA-CONTRIB-2018-038
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466. The security team marks all unsupported projects critical...
Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028
Update: 2018-06-03 A new maintainer has stepped forward and this project now has a stable release. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please rea...
Entity Backup - Critical - Module Unsupported - SA-CONTRIB-2018-012
The main purpose of the Entity Backup module is to keep a backup of deleted Drupal core entities and perform recovery of them. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to...
Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094
The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type. The security team is marking this module unsupported. There is a known security issue...
SA-CONTRIB-2013-079 - Context - Multiple Vulnerabilities
Context allows you to manage contextual conditions and reactions for different portions of your site This advisory covers two separate issues. Arbitrary PHP Code Execution The first, and more severe issue Highly Critical status, is that the module allows execution of PHP code via manipulation of ...
SA-CONTRIB-2010-086 - Prepopulate - Access Bypass
The Prepopulate module provides the ability for form fields to be pre-populated via the request sent for the form. The module is vulnerable to access bypass which would allow a malicious user to change the value of fields they would not otherwise have access to alter. Versions affected Prepopulat...
SA-CONTRIB-2009-090 - User Protect - Cross Site Request Forgery
User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections. The Drupal Forms API protects against cross site request forgeries...
Revision to DRUPAL-SA-2006-013 - Recipe
It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output from the contributed Recipe module. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. This is a revision to...
AI SEO/GEO Analyzer - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-076
The AI SEO/GEO Analyzer module generates SEO/GEO analysis reports by sending content of an entity including its comments to an LLM, then converts the model's Markdown response to HTML and stores it for display to privileged users. The generated HTML was rendered without passing through Drupal's...
FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-068
This module enables you to test and run AI-driven workflows interactively through a chat interface. The module doesn't sufficiently re-evaluate a human-in-the-loop approval gate where the workflow iterates more than once. This may result in execution of workflows that were not intended by the use...
Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073
This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass...
H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064
This module enables you to create interactive content. The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In...
Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039
The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Exif - Critical - Remote code execution - SA-CONTRIB-2022-015
This module enables you to automatically scan images uploaded to the site to extract their meta data and store it in taxonomy structures. The module doesn't sufficiently protect against malicious files being used to attack the site. This vulnerability is mitigated by the fact that an attacker mus...
Client-side Hierarchical Select - Moderately critical - Cross-site scripting - SA-CONTRIB-2021-031
The module provides a field widget for selecting taxonomy terms in a hierarchical fashion. The module doesn't sanitize user input in certain cases, leading to a possible Cross-Site-Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with...
Services - Moderately critical - Access bypass - SA-CONTRIB-2020-022
This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module's taxonomy term index resource doesn't take into consideration certain access control tags provided but unused by core, that certain contrib modules depend on. This...
Menu Item Extras - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-050
This module enables you to handle fields for Custom Menu Links. The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...
JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019
This resolves issues described in SA-CORE-2019-003 for this module...
Login Alert - Moderately critical - Access bypass - SA-CONTRIB-2019-013
This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account. The module...
Image Annotator [Annotorious] - Critical - Unsupported - SA-CONTRIB-2019-006
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...
Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068
The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution. This issue is related to the Drupal Core...
AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...
Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040
This module enables you to delete any types of entities in bulk. The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process. The access bypass vulnerability is...
Corporate Site - Critical - Unsupported - SA-CONTRIB-2018-032
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...
iShopping - Critical - Unsupported - SA-CONTRIB-2018-033
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...
TB Sirate - Critical - Unsupported - SA-CONTRIB-2018-035
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...
Hotel - Critical - Unsupported - SA-CONTRIB-2018-034
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...
TB Nucleus - Critical - Unsupported - SA-CONTRIB-2018-031
Update - 2018-09-26 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/nucleus/releases/7.x-1.6 to fix the security issue The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the...
DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022
This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard. The modules DRD and DRD Agent encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize...
VChess - Critical - Module Unsupported - SA-CONTRIB-2018-009
The Drupal VChess module allows users to play a chess game. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...
Services single sign-on client - Critical - Cross-site scripting - SA-CONTRIB-2017-087
This module allows users of a remote Services-enabled Drupal site to sign on to a second site with their credentials. The module does not sanitize information from the request before displaying it, thereby exposing a cross-site scripting vulnerability...
Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-078
The Yandex.Metrics module allows you to look for key indicators of your site effectiveness. The module doesn't sufficiently let users know a setting page should not be given to untrusted users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...
SA-CONTRIB-2013-080 - Simplenews - Cross Site Scripting (XSS)
This module enables you to publish and send newsletters to lists of subscribers. The module also includes an API that other modules can use to register subscribers. The module doesn't sufficiently sanitize e-mail addresses prior to outputting. The provided forms sign-up, mass import, .. validate...
SA-CONTRIB-2010-079 - Devel (Performance logging) - Cross Site Scripting
The devel project is a suite of modules for developers and themers. Within the devel project, there is the performance logging module. The module does not escape URLs comprised of node paths, leading to a Cross Site Scripting XSS vulnerability. Users with the permission to access the reports that...
SA-CONTRIB-2010-070 - Multiple vulnerabilities in multiple contributed modules
Versions affected and proposed solutions Easy Translator for Drupal 6.x The module is vulnerable to SQL injections. Solution: Disable the module. There is no safe version of the module to use. Block Queue for Drupal 6.x The Block Queue module allows users to create "queues" of blocks much like...
SA-CONTRIB-2010-053 - External Link Page - Cross Site Scripting (XSS)
The External Link Page provides a content filter that redirects external links to a customizable page. This page informs the user that they are about to leave the site and then redirects them. The module does not sanitise data input in it's administration page before displaying it on redirect...
SA-CONTRIB-2009-088 - Workflow Multiple Cross Site Scripting Vulnerabilities
The Workflow module enables sites to define flexible process management systems. Names of workflows and workflow states are not sanitised to display as plain text, leading to a Cross Site Scripting XSS vulnerability. Exploiting this vulnerability would allow a malicious user to gain full...
SA-CONTRIB-2009-082 - Filefield module access bypass
The FileField module allows users to upload files through an AJAX-upload widget that can be added to content types through CCK. In the 3.1 version of FileField, the module would not restrict access to files based on node-access permissions when using Drupal core's private file system. Versions...
SA-CONTRIB-2009-056 - Node2Node, Node Browser, Subdomain Manager, Quota by role, Rest API with vulnerabilities, now abandoned
Multiple vulnerabilities have been found in the following modules which have been abandoned. Their releases have been unpublished and it is recommended that they be disabled and un-installed if in use. Modules Node2Node Node Browser Subdomain Manager Quota by role Rest API Drupal core is not...
Extended Tracker - SQL Injection
The contributed module Extended Tracker xtracker accepts parameters from URLs and uses those unescaped in SQL queries, allowing malicious users to execute SQL injection attacks. This may result in them gaining administrator privileges. Versions affected Please check the CVS $Id$ fields in the fil...
E-commerce Cross site scripting vulnerability
It is possible for a malicious user with the 'create products' permission to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. The create products permission is...
DRUPAL-SA-2006-015: Multiple vulnerabilities in Bibliography
Unescaped input is used directly in queries, allowing malicious users to execute SQL injection attacks. This may result in administrator access. It is also possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to...
Login Disable - Moderately critical - Access bypass - SA-CONTRIB-2026-070
The Login Disable module prevents users from logging in to your Drupal site unless they know the secret key to add to the end of the login form page. The module doesn't sufficiently protect the disabled login form from brute force attacks. Depending on the length of the key this could allow an...
ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074
The Events, Conditions, Actions ECA module's Render submodule enables you to build render arrays and render inline Twig templates as part of no-code ECA models. The module doesn't sufficiently sanitize template code when rendering, which can lead to information disclosure. This vulnerability is...
Clean RESTful - Critical - Unsupported - SA-CONTRIB-2026-078
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Siteimprove Analytics - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-073
The module doesn't sufficiently sanitize the Siteimprove Analytics identification code when inserting the JavaScript tracking code; this could be exploited to achieve Cross-Site Scripting XSS. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...
UI Patterns (SDC in Drupal UI) - Moderately critical - Cross site scripting - SA-CONTRIB-2026-075
This module enables you to use Single Directory Components in site building views, field formatters, blocks, layouts and it improves the Developer Experience DX with SDC. The module doesn't sufficiently sanitize the markup passed to components under certain scenarios. This vulnerability is...