Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2020/07/29 12:0 a.m.5 views

Hostmaster (Aegir) - Moderately critical - Access bypass, Arbitrary code execution - SA-CONTRIB-2020-031

Aegir is a powerful hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites. Given that Aegir can use both Apache and Nginx Web servers, Apache allows configuration-writing users to escalate their privileges to the superuser root, and Aegir's operations...

5.8AI score
Exploits0References16
Drupal
Drupal
added 2019/11/13 12:0 a.m.5 views

Taxonomy CSV import/export - Moderately critical - Information disclosure - SA-CONTRIB-2019-084

Updated January 9th, 2020 This module enables you to import taxonomy terms from different sources, including a text area, a file upload or a file present in the web server. The module doesn't sufficiently validate user input when providing a local filename to import. This vulnerability is mitigat...

5.6AI score
Exploits0References5
Drupal
Drupal
added 2019/08/14 12:0 a.m.5 views

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL. The module did not have protection for the Redirect URL to go where content authors intended...

5.6AI score
Exploits0References8
Drupal
Drupal
added 2019/04/17 12:0 a.m.5 views

Stage File Proxy - Less critical - Denial of Service - SA-CONTRIB-2019-044

Stage File Proxy is a general solution for getting production files on a development server on demand. The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File...

5.6AI score
Exploits0References7
Drupal
Drupal
added 2018/12/19 12:0 a.m.5 views

JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081

This module provides a JSON:API specification-compliant HTTP API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently check access when responding to certain filtered collection requests, thereby causing an access bypass vulnerability. This mea...

7.2AI score
Exploits0References14
Drupal
Drupal
added 2018/10/17 12:0 a.m.5 views

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution. This issue is related to the Drupal Core...

8.1AI score
Exploits0References6
Drupal
Drupal
added 2018/09/26 12:0 a.m.5 views

Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061

Taxonomy File Tree allows site managers to create file trees. For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file. This vulnerability only affects sites that use private files...

5.3AI score
Exploits0References7
Drupal
Drupal
added 2018/06/06 12:0 a.m.5 views

AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2018/05/23 12:0 a.m.5 views

Education - Critical - Unsupported - SA-CONTRIB-2018-036

The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...

7.2AI score
Exploits0References2
Drupal
Drupal
added 2018/05/23 12:0 a.m.5 views

Zircon - Critical - Unsupported - SA-CONTRIB-2018-037

Update - 2018-09-26 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/zircon/releases/7.x-1.2 to resolve the issue. The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2018/05/09 12:0 a.m.5 views

Simple Taxonomy Revision - Critical - Unsupported - SA-CONTRIB-2018-025

Simple Taxonomy Revision module enables revisions for taxonomy terms for Drupal 8. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read:...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2017/12/20 12:0 a.m.5 views

Directory based organisational layer - Critical - Unsupported - SA-CONTRIB-2017-096

This module adds a new organizational layer to Drupal, making it easy for managing large numbers of files and nodes. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in...

7.3AI score
Exploits0References2
Drupal
Drupal
added 2017/11/29 12:0 a.m.5 views

bootstrap_carousel - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-088

This module provides a way to make carousels, based on bootstrap-carousel.js. The module doesn't sufficiently handle output of img HTML tag's alt property. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Carousel: Create new content" or any simil...

6.9AI score
Exploits0References5
Drupal
Drupal
added 2017/10/18 12:0 a.m.5 views

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-078

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness. The module doesn't sufficiently let users know a setting page should not be given to untrusted users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

5.5AI score
Exploits0References7
Drupal
Drupal
added 2013/10/16 6:39 p.m.5 views

SA-CONTRIB-2013-080 - Simplenews - Cross Site Scripting (XSS)

This module enables you to publish and send newsletters to lists of subscribers. The module also includes an API that other modules can use to register subscribers. The module doesn't sufficiently sanitize e-mail addresses prior to outputting. The provided forms sign-up, mass import, .. validate...

4.3CVSS5.5AI score0.02688EPSS
Exploits0References10
Drupal
Drupal
added 2010/12/01 12:0 a.m.5 views

SA-CONTRIB-2010-107 - Services - Access bypass

The Services module allows users to expose Drupal functionality to remote users. Services provides the ability for users to update nodes contained in a drupal install via the services api. When using using the node.save service it is possible for a user to supply a specifically crafted node or...

5.5AI score
Exploits0References5
Drupal
Drupal
added 2010/07/28 12:0 a.m.5 views

SA-CONTRIB-2010-076 - Dashboard - Cross Site Scripting (CSS)

The dashboard module allows users to create a personalized set of pages of widgets created from existing blocks and nodes like iGoogle. The module does not escape user generated names for tags & titles associated with default widgets that are added to a user dashboard page, leading to a Cross Sit...

5.3AI score
Exploits0References8
Drupal
Drupal
added 2010/05/19 12:0 a.m.5 views

SA-CONTRIB-2010-052 - Multiple vulnerabilities in multiple contributed modules

Versions affected and proposed solutions Private Message versions for the 5.x versions of Drupal The Privatemsg also known as Private Message module enables messages to be sent internally on a site. The module is vulnerable to cross-site request forgeries CSRF via it's message delete form. This...

5.3AI score
Exploits0References25
Drupal
Drupal
added 2010/03/09 12:0 a.m.5 views

SA-CONTRIB-2010-025 - TinyMCE - Cross Site Scripting (XSS)

The TinyMCE module provides a "WYSIWYG" tool for entering rich text into various parts of a site. The TinyMCE module displayed text entered by an admin without filtering that text leading to a Cross Site Scription XSS vulnerability. XSS vulnerabilities may expose site administrative accounts whic...

5.4AI score
Exploits0References4
Drupal
Drupal
added 2008/06/11 12:0 a.m.5 views

SA-2008-031 - Pblog - Incorrect vulnerability report

Exploitable from: Remote Subject: Incorrect vulnerability report Several 'security'-related sources claim - with SecurityFocus as source http://www.securityfocus.com/bid/29495/info - that the third-party Drupal module Pblog is vulnerable to SQL injection attacks. The Drupal security team has...

5.8AI score
Exploits0References3
Drupal
Drupal
added 6 days ago4 views

Commerce guest registration - Critical - Unsupported - SA-CONTRIB-2026-079

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9AI score0.00236EPSS
Exploits0References3
Drupal
Drupal
added 2022/05/04 12:0 a.m.4 views

Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039

The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

5.5AI score
Exploits0References2
Drupal
Drupal
added 2020/01/15 12:0 a.m.4 views

Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in. The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu. This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the...

5.7AI score
Exploits0References5
Drupal
Drupal
added 2019/02/27 12:0 a.m.4 views

Context - Moderately critical - Cross site scripting - SA-CONTRIB-2019-028

This module enables you to manage contextual conditions and reactions for different portions of your site. The module doesn't sufficiently sanitize user output when displayed leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must hav...

5.4AI score
Exploits0References8
Drupal
Drupal
added 2019/01/23 12:0 a.m.4 views

Gridstack field - Critical - Unsupported - SA-CONTRIB-2019-008

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2018/10/10 12:0 a.m.4 views

Lightbox2 - Critical - Cross Site Scripting - SA-CONTRIB-2018-064

The Lightbox2 module enables you to overlay images on the current page. The module did not sanitize some inputs when used in combination with a custom view leading to potential Cross Site Scripting XSS...

5.4AI score
Exploits0References7
Drupal
Drupal
added 2018/05/23 12:0 a.m.4 views

Baidu Analytics - Critical - Unsupported - SA-CONTRIB-2018-029

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466. The security team marks all unsupported modules critical by...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2018/05/09 12:0 a.m.4 views

Scrollable Content - Critical - Unsupported - SA-CONTRIB-2018-026

Scrollable Content provides a scrolling functionality for your content. Scrollable Content will give you a nice content slider preview of your site's nodes, and provides some display options. The security team is marking this module unsupported. There is a known security issue with the module tha...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2010/12/08 12:0 a.m.4 views

SA-CONTRIB-2010-108 - Who Bought What|Ubercart - Multiple Vulnerabilities

The Who Bought What-module collects and displays relevant information about purchases, including purchaser name, quantity, payment status, and all attributes. The module does not properly sanitize arguments passed via the URL when used in SQL queries, leading to a SQL Injection vulnerability...

5.9AI score
Exploits0References8
Drupal
Drupal
added 2009/10/28 9:17 p.m.4 views

SA-CONTRIB-2009-086 - OpenSocial Shindig-Integrator - Cross Site Scripting

The OpenSocial Shindig-Integrator module enables sites to host OpenSocial widgets. The module fails to sanitize user input, making it vulnerable to cross site scripting XSS attacks. This vulnerability is somewhat limited by the fact that an attacker would need an account with the permissions to...

4.7AI score
Exploits0References5
Drupal
Drupal
added 2009/10/14 12:0 a.m.4 views

SA-CONTRIB-2009-071 - Organic Groups Vocabulary Access Bypass

Description The Organic Groups Vocabulary module enables an organic group to have a group specific vocabulary. A vulnerability in this module allows any group member, even if they are not a group admin, to view, edit, and create vocabularies and terms for all groups. Versions affected Organic...

5.5AI score
Exploits0References6
Drupal
Drupal
added 2023/08/23 12:0 a.m.3 views

Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036

The Flexi Access module will provide a simple and flexible interface to the ACL Access Control List module. It will let you set up and mange ACLs naming individual users that are allowed access to a particular node. The module processes user input in a way that could be unsafe. This can lead to...

5.9AI score
Exploits0References7
Drupal
Drupal
added 2022/01/26 12:0 a.m.3 views

Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

This module enables users to create 'private' vocabularies. The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module. Partial mitigation is available by requiring users have been...

5.6AI score
Exploits0References6
Drupal
Drupal
added 2020/05/13 12:0 a.m.3 views

reCAPTCHA v3 - Critical - Access bypass - SA-CONTRIB-2020-019

The reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3. If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms. This vulnerability only affects forms that are...

5.6AI score
Exploits0References8
Drupal
Drupal
added 2019/10/09 12:0 a.m.3 views

MaxLength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073

This module enables you to set a maximum length allowed on text fields and indicate how many characters are left. The module doesn't sufficiently filter strings leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact the malicious script will not be...

5.5AI score
Exploits0References7
Drupal
Drupal
added 2019/01/23 12:0 a.m.3 views

Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007

Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels configuration. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to edit...

5.6AI score
Exploits0References6
Drupal
Drupal
added 2018/07/18 12:0 a.m.3 views

Taxonomy Entity Queue - Critical - SQL Injection - SA-CONTRIB-2018-052

This module enables you to create an entityqueue based on a taxonomy. The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries...

5.7AI score
Exploits0References6
Drupal
Drupal
added 2018/03/21 12:0 a.m.3 views

Exif - Critical - Access bypass - SA-CONTRIB-2018-017

This module enables you to retrieve image metadata and use them in fields or title. The module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to create...

5.7AI score
Exploits0References5
Drupal
Drupal
added 2011/02/02 12:0 a.m.3 views

SA-CONTRIB-2011-004 - Multiple Vulnerabilities In Multiple Contributed Modules

Versions affected and proposed solutions OG Forum for Drupal 6.x OG Forum creates a forum per organic group and restricts viewing forum nodes by group membership. OG Forum does not properly implement access controls on private forums it creates, which can lead to a private group's forums becoming...

5.9AI score
Exploits0References14
Drupal
Drupal
added 2010/07/14 12:0 a.m.3 views

SA-CONTRIB-2010-073 - Multiple Vulnerabilities In Multiple Contributed Modules

Versions affected and proposed solutions Simple Gallery for Drupal 6.x This module creates a simple gallery using taxonomy and CCK imagefields. The module is vulnerable to a Cross Site Scripting XSS attack. This can be exploited by users with the ability to add taxonomy terms or tag content...

5.5AI score
Exploits0References14
Total number of security vulnerabilities1940