SA-CONTRIB-2010-108 - Who Bought What|Ubercart - Multiple Vulnerabilities

The Who Bought What-module collects and displays relevant information about purchases, including purchaser name, quantity, payment status, and all attributes. The module does not properly sanitize arguments passed via the URL when used in SQL queries, leading to a SQL Injection vulnerability...

SA-2008-031 - Pblog - Incorrect vulnerability report

Exploitable from: Remote Subject: Incorrect vulnerability report Several 'security'-related sources claim - with SecurityFocus as source http://www.securityfocus.com/bid/29495/info - that the third-party Drupal module Pblog is vulnerable to SQL injection attacks. The Drupal security team has...

Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036

The Flexi Access module will provide a simple and flexible interface to the ACL Access Control List module. It will let you set up and mange ACLs naming individual users that are allowed access to a particular node. The module processes user input in a way that could be unsafe. This can lead to...

Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093

This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. if certain administrative routes should be access controlled, defaulting to...

Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007

Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels configuration. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to edit...

Exif - Critical - Access bypass - SA-CONTRIB-2018-017

This module enables you to retrieve image metadata and use them in fields or title. The module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to create...

SA-CONTRIB-2011-004 - Multiple Vulnerabilities In Multiple Contributed Modules

Versions affected and proposed solutions OG Forum for Drupal 6.x OG Forum creates a forum per organic group and restricts viewing forum nodes by group membership. OG Forum does not properly implement access controls on private forums it creates, which can lead to a private group's forums becoming...

SA-CONTRIB-2010-073 - Multiple Vulnerabilities In Multiple Contributed Modules

Versions affected and proposed solutions Simple Gallery for Drupal 6.x This module creates a simple gallery using taxonomy and CCK imagefields. The module is vulnerable to a Cross Site Scripting XSS attack. This can be exploited by users with the ability to add taxonomy terms or tag content...

SA-CONTRIB-2009-086 - OpenSocial Shindig-Integrator - Cross Site Scripting

The OpenSocial Shindig-Integrator module enables sites to host OpenSocial widgets. The module fails to sanitize user input, making it vulnerable to cross site scripting XSS attacks. This vulnerability is somewhat limited by the fact that an attacker would need an account with the permissions to...

reCAPTCHA v3 - Critical - Access bypass - SA-CONTRIB-2020-019

The reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3. If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms. This vulnerability only affects forms that are...

MaxLength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073

This module enables you to set a maximum length allowed on text fields and indicate how many characters are left. The module doesn't sufficiently filter strings leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact the malicious script will not be...