Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2014/12/17 12:0 a.m.•31 views

SA-CONTRIB-2014-126 - Open Atrium - Multiple vulnerabilities

This distribution enables you to create an intranet. Several of the sub modules included do not prevent CSRF on several menu callbacks. Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with "access content" to update and delete...

8.8CVSS7.2AI score0.01612EPSS
Exploits0References12
Drupal
Drupal
•added 2014/09/24 12:0 a.m.•31 views

SA-CONTRIB-2014-092 - Services - Cross Site Scripting, Access bypass

The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. New user's password set to weak password in userresourcecreate When creating a new user account via Services, the new user's password was set to a weak password. This issue is mitigated...

7.5CVSS5.8AI score0.02331EPSS
Exploits0References13
Drupal
Drupal
•added 2014/04/09 12:0 a.m.•31 views

SA-CONTRIB-2014-037 - BlueMasters - Cross Site Scripting

Bluemasters is a responsive layout theme for Drupal 7. The Bluemasters theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifie...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
•added 2013/11/06 12:0 a.m.•31 views

SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data

The Secure Pages module manages redirects between HTTP and HTTPS pages. A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a malicious user enticing a us...

4.3CVSS6.2AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
•added 2012/05/16 12:0 a.m.•31 views

SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass and Cross Site Scripting (XSS)

Cross Site Scripting CVE: CVE-2012-2708. Hostmaster displays a log from tasks executed in Aegir's backend component, provision. In certain circumstances these log messages were not escaped properly before being displayed to the user. This vulnerability is mitigated by the fact that people wishing...

5.8CVSS6.3AI score0.02428EPSS
Exploits2References11
Drupal
Drupal
•added 2025/04/16 12:0 a.m.•30 views

Panelizer (obsolete) - Critical - Unsupported - SA-CONTRIB-2025-036

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9CVSS6.9AI score0.00277EPSS
Exploits0References2
Drupal
Drupal
•added 2024/05/22 12:0 a.m.•31 views

Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020

The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form. The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is...

7.5CVSS7AI score0.00397EPSS
Exploits0References9
Drupal
Drupal
•added 2020/06/10 12:0 a.m.•30 views

Open ReadSpeaker - Moderately critical - Cross site scripting - SA-CONTRIB-2020-024

This module enables you to add a configured ReadSpeaker button for text-to-speech for your site visitors. The module doesn't sufficiently sanitize block configuration causing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role wi...

5.8AI score
Exploits0References6
Drupal
Drupal
•added 2019/12/18 12:0 a.m.•30 views

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

Drupal 8 core's filesaveupload function does not strip the leading and trailing dot '.' from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to...

6.9AI score
Exploits0References19
Drupal
Drupal
•added 2018/07/11 12:0 a.m.•30 views

EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047

This module addresses the General Data Protection Regulation GDPR that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user to store cookies on their computer and handle their...

6.6AI score
Exploits0References7
Drupal
Drupal
•added 2016/06/15 12:0 a.m.•30 views

Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view. This issue is mitigated by the fact that the view must be configured to show a "Content...

5.3CVSS5.3AI score0.02212EPSS
Exploits0References18
Drupal
Drupal
•added 2015/09/16 12:0 a.m.•30 views

Drupal 7 driver for SQL Server and SQL Azure - Moderately Critical - SQL Injection - SA-CONTRIB-2015-148

Drupal 7 driver for SQL Server and SQL Azure module has a SQL injection vulnerability. Certain characters aren't properly escaped by the Drupal database API. A malicious user may be able to access restricted information by performing a specially-crafted search. Only sites that use contrib or cust...

7.5CVSS7AI score0.02482EPSS
Exploits0References11
Drupal
Drupal
•added 2014/08/13 12:0 a.m.•30 views

SA-CONTRIB-2014-077 - TableField - Cross Site Scripting (XSS)

This module enables you to create a field attached to a entity which stores tabular data. The module doesn't sufficiently sanitize the field help text when presented to a privileged user. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References9
Drupal
Drupal
•added 2014/03/05 12:0 a.m.•30 views

SA-CONTRIB-2014-027 - NewsFlash Theme - XSS

Newsflash is a theme that features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, built-in IE transparent PNG fix, and lots more. The theme does not sanitize the user provided theme setting for the font family CSS property, thereby exposing a cross-site scripting...

3.5CVSS5.6AI score0.01046EPSS
Exploits0References10
Drupal
Drupal
•added 2013/07/10 12:0 a.m.•30 views

SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service

This module saves time and disk space by sending requests to your development environment's files directory to the production environment and making a copy of the production file in your development site. An attacker could make repeated requests to the server, even over a long period, which would...

5CVSS6.3AI score0.01553EPSS
Exploits0References9
Drupal
Drupal
•added 2013/06/19 12:0 a.m.•30 views

SA-CONTRIB-2013-053 - Login Security - Multiple Vulnerabilities

Login Security module adds additional access controls to the login form of Drupal. When Login Security is configured to use the delay feature, frequent or concurrent failed attempts to login can consume all the web serving processes, causing a denial of service. It is possible to bypass Login...

9.8CVSS9.4AI score0.01727EPSS
Exploits0References10
Drupal
Drupal
•added 2013/01/23 12:0 a.m.•30 views

SA-CONTRIB-2013-006 - Video - Arbitrary Code Execution

The video module enables you to upload video and audio files and transcode them into other formats and sizes using other tools like FFmpeg or Zencoder. The module saves information about the FFmpeg executable in a temporary PHP file, but doesn't check if the file has been tampered with when readi...

4.4CVSS6.3AI score0.00303EPSS
Exploits0References9
Drupal
Drupal
•added 2012/06/06 12:0 a.m.•30 views

SA-CONTRIB-2012-096 - Authoring HTML - Cross Site Scripting (XSS)

This module creates an input format suitable for use within a WYSIWYG editor. It adds support for the iframe HTML tag, making it friendly with the popular iframe embeds available in popular video sites like YouTube and Vimeo. It supports the script tag too. Both tags will only be allowed if the...

3.5CVSS6.1AI score0.0168EPSS
Exploits1References10
Drupal
Drupal
•added 2012/05/09 12:0 a.m.•30 views

SA-CONTRIB-2012-073 - Glossary - Cross-Site Scripting (XSS)

CVE: CVE-2012-2339 The glossary module scans posts for glossary terms, adding an indicator. By hovering over the indicator, users may learn the definition of that term. The module does not sufficiently sanitize the taxonomy information. This leaves sites vulnerable to Cross-Site Scripting attacks...

4.3CVSS5.8AI score0.01647EPSS
Exploits0References11
Drupal
Drupal
•added 2025/05/28 12:0 a.m.•29 views

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-076

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent. Each sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, thi...

8.6CVSS6.7AI score0.00278EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/21 12:0 a.m.•29 views

Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069

This module integrates Drupal with LightGallery, enabling the use of the LightGallery library with any image field or view. The module does not adequately sanitize user input in the image field’s "alt" attribute, potentially allowing cross-site scripting XSS attacks when tags or scripts are...

7.1CVSS5.7AI score0.00278EPSS
Exploits0References2
Drupal
Drupal
•added 2025/03/19 12:0 a.m.•29 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit acce...

5.4CVSS6.6AI score0.00456EPSS
Exploits0References5
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•29 views

Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063

This module integrates webforms with eloqua, an automated marketing and demand generation software built to improve the quality and quantity of customers' sales leads and streamline their sales processes. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's...

6.6CVSS7.8AI score0.00399EPSS
Exploits0References5
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•30 views

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to...

9.8CVSS7.3AI score0.00956EPSS
Exploits0References14
Drupal
Drupal
•added 2024/06/05 12:0 a.m.•29 views

Acquia DAM - Moderately critical - Cross Site Request Forgery, Denial of Service - SA-CONTRIB-2024-025

Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance. The module doesn't sufficientl...

3.5CVSS6.8AI score0.00143EPSS
Exploits0References6
Drupal
Drupal
•added 2022/09/07 12:0 a.m.•29 views

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site. The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal...

6.4AI score
Exploits0References7
Drupal
Drupal
•added 2021/12/08 12:0 a.m.•29 views

Webform - Critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-045

Access Bypass: This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently check access for administrative features for webforms attached to nodes using the Webform Node module. This may reveal submitted data or allow an attacker to modify submitted data...

6.6AI score
Exploits0References11
Drupal
Drupal
•added 2015/09/16 12:0 a.m.•29 views

Scald - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-151

This module enables you to easily manage your media assets and re-use them in all your content. The module provided a "debug" context that gave access to all the atom properties, including all the fields attached to this atom, without applying the corresponding field restrictions. This...

5CVSS6.3AI score0.01196EPSS
Exploits0References10
Drupal
Drupal
•added 2015/08/05 12:0 a.m.•29 views

Commerce Commonwealth (CBA) - Moderately Critical - Insufficient Verification of API Data - SA-CONTRIB-2015-136

This module enables you to pay for items on Drupal Commerce, using Commerce Commonwealth payment gateway. The module doesn't sufficiently validate the payment under certain specific scenarios. A malicious user can modify the urls used in gateway interaction with Commbank to make a failed payment...

5CVSS6.3AI score0.01054EPSS
Exploits0References10
Drupal
Drupal
•added 2015/03/18 12:0 a.m.•29 views

SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Multiple vulnerabilities

This module provides a set of APIs and tools to improve the developer experience. Access bypass in autocomplete Drupal 7 only Among other many other things, CTools provides an autocomplete callback for finding entities by their titles or ID. In CTools version 1.5, additional checks were created t...

5.8CVSS6.2AI score0.01331EPSS
Exploits0References11
Drupal
Drupal
•added 2015/01/14 12:0 a.m.•29 views

SA-CONTRIB-2015-014 - Wishlist - Multiple vulnerabilities

The Wishlist module enables authorized users to create wishlist nodes which describe items they would like for a special occasion. Also, it allows users to indicate their intention to purchase items for other users. The module fails to sanitize user input in log messages, leading to a Cross Site...

6.8CVSS5.5AI score0.00656EPSS
Exploits0References11
Drupal
Drupal
•added 2014/09/10 12:0 a.m.•29 views

SA-CONTRIB-2014-085 - Ubercart - Information disclosure

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The per-user order history view is not properly protected. This vulnerability is mitigated by the fact that an attacker must have an account with the "view own orders" permission and can only view order ID...

4CVSS6.4AI score0.00937EPSS
Exploits0References10
Drupal
Drupal
•added 2013/05/29 12:0 a.m.•29 views

SA-CONTRIB-2013-049 - Node access user reference - Access Bypass

This module allows different access permissions to be given to authors, referenced users and non-referenced users. When an author has created content containing a user reference field with author update/delete grants enabled and the author's user account is later deleted, content created by them...

5.8CVSS6.3AI score0.01309EPSS
Exploits1References12
Drupal
Drupal
•added 2013/05/01 12:0 a.m.•29 views

SA-CONTRIB-2013-046 - Filebrowser - Reflected Cross Site Scripting (XSS)

Filebrowser module allows site administrators to expose a particular file system folder and all of its subfolders with an FTP-like interface to site visitors. The module doesn't sufficiently sanitize user input when presenting lists of files. Because the vulnerability is Reflected Cross Site...

4.3CVSS6.1AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
•added 2013/01/30 12:0 a.m.•29 views

SA-CONTRIB-2013-012 - Google Authenticator login - Access Bypass

This module will allow you to add Time-based One-time Password Algorithm also called "Two Step Authentication" or "Multi-Factor Authentication" support to user logins. Users with the permission to use multi-factor authentication need to associate a Google Authenticator token with their acount...

6.8CVSS6.3AI score0.01394EPSS
Exploits0References10
Drupal
Drupal
•added 2012/06/06 12:0 a.m.•29 views

SA-CONTRIB-2012-094 - Maestro module - Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS)

The Maestro module is a workflow engine/solution that facilitates simple and complex business process automation. The module doesn't sufficiently filter user-supplied data in its admin screens leading to a Cross Site Scripting XSS vulnerability. A Cross Site Request Forgery vulnerability in the...

5.1CVSS5.8AI score0.02117EPSS
Exploits2References12
Drupal
Drupal
•added 2012/04/25 12:0 a.m.•29 views

SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability. Failure to encrypt data: Exploitable from local CVE: CVE-2012-2299...

6CVSS5.7AI score0.01284EPSS
Exploits2References13
Drupal
Drupal
•added 2012/01/25 12:0 a.m.•29 views

SA-CONTRIB-2012-014 - Drupal Commerce - Cross Site Scripting (XSS)

CVE: CVE-2012-1639 Drupal Commerce is a flexible eCommerce framework built on Drupal 7 that lets you construct any type of eCommerce website. Part of its flexibility lies in its ability to render product fields into node displays through the product reference field used to build dynamic Add to Ca...

3.5CVSS6.3AI score0.0107EPSS
Exploits0References9
Drupal
Drupal
•added 2012/01/11 12:0 a.m.•29 views

SA-CONTRIB-2012-006 XSS and CSRF in Multiple Modules - Supercron, Taxotouch, Admin:hover, Taxonomy Navigator no longer supported

CVE: CVE-2012-1628 SuperCron is a complete replacement for Drupal's built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with "access administration pages" permission. CVE: CVE-2012-1629 Taxotouch...

6.8CVSS6.4AI score0.00941EPSS
Exploits0References13
Drupal
Drupal
•added 2010/09/29 12:0 a.m.•29 views

SA-CONTRIB-2010-098 - Memcache - Multiple vulnerabilities

The Memcache project provides an alternative cache backend which works with memcached program to speed up high traffic sites. The memcache backend caches the current $user object a little too aggressively, which can lead to a role change not being recognized until the user logs in again. The...

4.3CVSS5.1AI score0.01161EPSS
Exploits0References10
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•28 views

Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

The Restrict route by IP module provides an interface to manage route restriction by IP address. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability is mitigated by the fact that you need to know the route machine name...

8.8CVSS6.7AI score0.00171EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/23 12:0 a.m.•28 views

Sportsleague - Critical - Unsupported - SA-CONTRIB-2025-045

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

7.3CVSS6.9AI score0.00243EPSS
Exploits0References2
Drupal
Drupal
•added 2023/08/23 12:0 a.m.•28 views

Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum AKA moderators. This module requires the...

7.2AI score
Exploits0References8
Drupal
Drupal
•added 2022/01/05 12:0 a.m.•28 views

Simple OAuth (OAuth2) & OpenID Connect - Moderately critical - Access bypass - SA-CONTRIB-2022-002

This module enables you to implement OAuth 2.0 authentication for Drupal. The module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected. This vulnerability is mitigate...

6.2AI score
Exploits0References10
Drupal
Drupal
•added 2021/05/26 12:0 a.m.•28 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-003

Update: 2021-06-11: Added CVE-2021-33829 identifier Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack. CKEditor 4.16.1 and later include the fix. Update: 2021-06-11: More details are available on CKEditor's blog. Users of...

6.1CVSS1AI score0.03189EPSS
Exploits0References12
Drupal
Drupal
•added 2015/12/02 12:0 a.m.•28 views

Chat Room - Moderately Critical - Access Bypass - SA-CONTRIB-2015-169

Chat Room enables site owners to integrate chats into nodes by adding the chat room field to them. The module relies on a websocket connection to send chat messages to the client. The module doesn't sufficiently validate access before setting up the websocket. As a result, users may receive...

5CVSS6.3AI score0.01233EPSS
Exploits0References10
Drupal
Drupal
•added 2015/06/17 12:0 a.m.•28 views

Inline Entity Form - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-120

The Inline Entity Form module provides a field widget for inline management creation, modification, removal of referenced entities. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that ...

4.3CVSS6AI score0.01805EPSS
Exploits0References9
Drupal
Drupal
•added 2014/11/19 12:0 a.m.•28 views

SA-CONTRIB-2014-111 - Protected Pages - Password Protection Bypass

Protected Pages modules allows the administrator to secure any page in your website by password by configuring a add path and the associated password. The module did not sufficiently protect variations on the protected path. CVE identifiers issued CVE-2014-9024 Versions affected Protected Pages...

7.5CVSS6.5AI score0.01319EPSS
Exploits0References12
Drupal
Drupal
•added 2014/10/29 12:0 a.m.•28 views

SA-CONTRIB-2014-105 - OG Menu - Access Bypass

OG Menu allows using menus within Organic Groups. The permissions for accessing the module settings were to broad, possibly granting access to users who would normally not be able to change the OG Menu configuration. This vulnerability is mitigated by the fact that an attacker must have a role wi...

3.5CVSS6.4AI score0.00951EPSS
Exploits0References9
Drupal
Drupal
•added 2014/08/20 12:0 a.m.•28 views

SA-CONTRIB-2014-080 - Social Stats - Cross Site Scripting (XSS)

The Social Stats module enables you to collect statistics from various social networks and use that data with the Views module as field data, sort criteria, or filter criteria. The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persisten...

2.1CVSS5.9AI score0.00941EPSS
Exploits0References11
Total number of security vulnerabilities1940