Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2014/07/30 12:0 a.m.28 views

SA-CONTRIB-2014-073- Date - Cross Site Scripting (XSS)

Date module provides flexible date/time field type Date field and a Date API that other modules can use. The module incorrectly prints date field titles without proper sanitization thereby opening a Cross Site Scripting XSS vulnerability. The vulnerability is mitigated by the fact that an attacke...

3.5CVSS5.4AI score0.01417EPSS
Exploits0References9
Drupal
Drupal
added 2014/07/09 12:0 a.m.28 views

SA-CONTRIB-2014-069 - Logintoboggan - Access Bypass and Cross Site Scripting (XSS)

This module enables you to customise the standard Drupal registration and login processes. Cross Site Scripting The module doesn't filter user-supplied information from the URL resulting in a reflected Cross Site Scripting XSS vulnerability. Access Bypass The module introduces a concept of a...

4.3CVSS5.2AI score0.01066EPSS
Exploits0References13
Drupal
Drupal
added 2014/06/18 12:0 a.m.28 views

SA-CONTRIB-2014-061 - VideoWhisper Webcam Plugins - Cross Site Scripting (XSS) - Unsupported

Includes multiple modules for video communications including room listing, pay per view access control. The module doesn't sufficiently filter user supplied text from the url reflected cross site scripting. No special permissions are required to exploit this issue. There are no mitigating factors...

4.3CVSS6.5AI score0.01158EPSS
Exploits1References10
Drupal
Drupal
added 2012/07/11 12:0 a.m.28 views

SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution

Important note: Most of the vulnerabilities discussed below can be exploited when the Drag & Drop Gallery module is disabled on a Drupal site. See Solution below for details. The Drag & Drop Gallery creates a gallery node type that allows you add images to the gallery by dragging and dropping...

7.5CVSS7.1AI score0.01448EPSS
Exploits1References7
Drupal
Drupal
added 2012/02/29 12:0 a.m.28 views

SA-CONTRIB-2012-029 - Taxonomy Views Integrator - Cross Site Scripting (XSS)

CVE: CVE-2012-1653 The Taxonomy Views Integrator allows selective overriding of taxonomy terms and/or vocabulary with the view of your choice. Using TVI you can easily create custom views to output all terms in X vocabulary. The module doesn't sufficiently filter user supplied text on views pages...

3.5CVSS6.3AI score0.0107EPSS
Exploits0References11
Drupal
Drupal
added 2012/02/01 12:0 a.m.28 views

SA-CONTRIB-2012-016 - Forward module CSRF and Access bypass

The Forward module enables you to add a "forward this page" link to each node. The link takes regular site visitors to a form where they can generate an email to a friend. The module exhibits multiple vulnerabilities as described below. The module includes "Recent forwards" and "Most forwarded"...

6CVSS6.4AI score0.01496EPSS
Exploits0References10
Drupal
Drupal
added 2006/05/24 12:0 a.m.28 views

SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations

Certain -- alas, typical -- configurations of Apache allows execution of carefully named arbitrary scripts in the files directory. Drupal now will attempt to automatically create a .htaccess file in your "files" directory to protect you. This line references SA2006006 to lead Apache administrator...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2025/04/02 12:0 a.m.27 views

TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-027

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs...

4.8CVSS6AI score0.0033EPSS
Exploits0References1
Drupal
Drupal
added 2025/04/02 12:0 a.m.27 views

Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029

This module enables you to obfuscate email addresses, to avoid them being easily available to spammers. The module doesn't sufficiently sanitise input when ROT13 encoding is used. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML...

5.4CVSS6.7AI score0.00217EPSS
Exploits0References2
Drupal
Drupal
added 2024/10/16 12:0 a.m.27 views

Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002

Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site. The issue is mitigated by the fact that several non-defau...

5.9CVSS6.3AI score0.00375EPSS
Exploits0References13
Drupal
Drupal
added 2021/09/22 12:0 a.m.27 views

Search API attachments - Critical - Arbitrary PHP code execution - SA-CONTRIB-2021-034

This module enables you to extract the textual content of files for use on a website, e.g. to display it or use it in search indexes. The module doesn't sufficiently protect the administrator-defined commands that are executed on the server, which leads to post-authentication remote code executio...

7.6AI score
Exploits0References7
Drupal
Drupal
added 2020/09/16 12:0 a.m.27 views

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting...

6.1CVSS1.1AI score0.02925EPSS
Exploits0References8
Drupal
Drupal
added 2019/03/06 12:0 a.m.27 views

EU Cookie Compliance (GDPR Compliance) - Critical - Cross site scripting - SA-CONTRIB-2019-033

This module addresses the General Data Protection Regulation GDPR that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or...

6.2AI score
Exploits0References9
Drupal
Drupal
added 2016/03/02 12:0 a.m.27 views

Prepopulate - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-009

The Prepopulate module allows form fields to be pre-populated in the request. The Prepopulate module does not adequately prevent a user from overwriting arbitrary parts of $REQUEST. It also does not prevent pre-populating certain fields that are not displayed or manipulating markup fields to alte...

7.5CVSS7.1AI score0.01862EPSS
Exploits0References10
Drupal
Drupal
added 2015/10/21 12:0 a.m.27 views

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-158

The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-004. Only sites with the Overlay module enabled are vulnerable. An incomplete fix for...

6.1CVSS6.1AI score0.01774EPSS
Exploits0References13
Drupal
Drupal
added 2015/07/15 12:0 a.m.27 views

Path Breadcrumbs - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-133

This module enables you to configure breadcrumbs for any Drupal page. The module didn't sufficiently filter user input values the in administration interface. This vulnerability was mitigated by the fact that an attacker must have a role with the permission "Administer Path Breadcrumbs". CVE...

2.1CVSS6.3AI score0.00744EPSS
Exploits0References10
Drupal
Drupal
added 2015/06/24 12:0 a.m.27 views

Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129

Shibboleth authentication module allows users to log in and get permissions based on federated SAML2 authentication. The module didn't filter the text that is displayed as a login link. This vulnerability was mitigated by the fact that an attacker must have a role with the permission Administer...

2.1CVSS6.5AI score0.00996EPSS
Exploits0References10
Drupal
Drupal
added 2015/05/06 12:0 a.m.27 views

Mobile sliding menu - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-108

The mobile sliding menu module integrates the mmenu jQuery plugin for creating slick, app look-alike sliding menus for your mobile website. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...

2.1CVSS6AI score0.00949EPSS
Exploits0References11
Drupal
Drupal
added 2015/04/15 12:0 a.m.27 views

Display Suite - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-095

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

3.5CVSS5.7AI score0.00965EPSS
Exploits0References11
Drupal
Drupal
added 2015/02/11 12:0 a.m.27 views

SA-CONTRIB-2015-040 - Webform prepopulate block - Cross Site Scripting (XSS)

Webform prepopulate block module enables you to set a webform component to display in a separated block. The module doesn't sufficiently sanitize user supplied text when displaying the block, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that a...

3.5CVSS6AI score0.00936EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/21 12:0 a.m.27 views

SA-CONTRIB-2015-025 - Patterns - Cross Site Request Forgery (CSRF)

Patterns module manages and automates site configuration. Site configurations stored in XML or YAML are called Patterns, and these are easy to read, modify, manage & share and can be executed manually or as a part of an automated web site deployment. Some links were not protected against CSRF. A...

6.8CVSS6.1AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/07 12:0 a.m.27 views

SA-CONTRIB-2015-003 - PHPlist Integration Module - SQL Injection

The PHPlist Integration module provides an integration between a Drupal website and phpList newsletter manager. The module provides two main features: user sync and sending a node as a newsletter. The module introduces a SQL Injection vulnerability to the phpList database. The Drupal database is...

6.5CVSS7.4AI score0.00891EPSS
Exploits0References10
Drupal
Drupal
added 2014/11/19 12:0 a.m.27 views

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)

Node Field module allows you to add custom extra fields to single Drupal nodes. The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes. CVE...

3.5CVSS6.3AI score0.00954EPSS
Exploits0References13
Drupal
Drupal
added 2014/08/13 12:0 a.m.27 views

SA-CONTRIB-2014-078 - Notify - Access bypass

The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites. The Notify module does not sufficiently check whether the user has access to recently added or...

4CVSS6.3AI score0.00937EPSS
Exploits0References10
Drupal
Drupal
added 2013/08/07 12:0 a.m.27 views

SA-CONTRIB-2013-062 - RESTful Web Services (RESTWS) - Access Bypass

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently check for field level access when preforming entity write operations on POST and PUT requests. It also do...

8.8CVSS8.8AI score0.02054EPSS
Exploits0References9
Drupal
Drupal
added 2013/07/10 12:0 a.m.27 views

SA-CONTRIB-2013-055 - Hatch - Cross Site Scripting

Hatch theme is a simple and minimal portfolio theme for photographers, illustrators, designers, or photobloggers. The theme didn't sufficiently escape user supplied text prior to printing them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

2.1CVSS6.4AI score0.00931EPSS
Exploits0References9
Drupal
Drupal
added 2013/03/27 12:0 a.m.27 views

SA-CONTRIB-2013-037 - Rules - Cross Site Scripting (XSS)

The Rules module allows site administrators to define conditionally executed actions based on occurring events known as reactive or ECA rules. It's a replacement with more features for the trigger module in core. The module contains a persistent cross site scripting XSS vulnerability due to the...

4.3CVSS5.4AI score0.01148EPSS
Exploits0References9
Drupal
Drupal
added 2013/02/27 12:0 a.m.27 views

SA-CONTRIB-2013-030 - Clean Theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/20 12:0 a.m.27 views

SA-CONTRIB-2013-020 - Ubercart - Cross site scripting (XSS)

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The "full name" field in Views did not properly sanitize output. The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order. C...

4.3CVSS6.3AI score0.01161EPSS
Exploits0References10
Drupal
Drupal
added 2013/01/30 12:0 a.m.27 views

SA-CONTRIB-2013-011 - email2image - Access Bypass - Unsupported

This module creates images of user email addresses and email fields. The module doesn't sufficiently check node access restrictions when displaying such fields. This vulnerability is mitigated by the fact that it only impacts sites using node access. CVE identifiers issued CVE-2013-0257 Versions...

5CVSS6.5AI score0.01173EPSS
Exploits0References8
Drupal
Drupal
added 2012/10/03 12:0 a.m.27 views

SA-CONTRIB-2012-149 - Hostip - Cross Site Scripting (XSS)

Hostip enables you to query the http://www.hostip.info/ API to get the country / state information based on the user's IP address or a specific IP passed to it. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection...

4.3CVSS6.4AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2012/04/11 12:0 a.m.27 views

SA-CONTRIB-2012-058 - Fivestar - Input Validation

CVE: CVE-2012-2096 The Fivestar module enables you to add a voting widget to nodes and comments. The module does not sufficiently validate all votes passed by the asynchronous voting widget allowing a malicious user to improperly modify voting averages. Versions affected Fivestar 6.x-1.x versions...

5CVSS6.4AI score0.0184EPSS
Exploits1References11
Drupal
Drupal
added 2012/03/28 12:0 a.m.27 views

SA-CONTRIB-2012-047 - Ubercart Views - Information disclosure

CVE: CVE-2012-2074 Ubercart Views provides Views integration for the Ubercart shopping cart module, and includes default views that contain a critical information disclosure bug. In some versions, these views are disabled by default, but still disclose information if you enable them. Versions...

5CVSS6.1AI score0.01563EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/14 12:0 a.m.27 views

SA-CONTRIB-2012-036 - Multiple Modules Unsupported

CVE: CVE-2012-2056 Content Lock Is a module that prevents users from concurrent editing of nodes. This module does not use a token for unlocking a content lock. This leads to a CSRF attack vector. CVE: CVE-2012-2057 Ubercart Bulk Stock Updater is an extension module for Ubercart 2.x running on...

6.8CVSS6.2AI score0.01759EPSS
Exploits0References18
Drupal
Drupal
added 2012/02/29 12:0 a.m.27 views

SA-CONTRIB-2012-025 - Cool aid; Editable help messages - Multiple vulnerabilities

Cool aid is a Drupal module that allows users to add custom help messages to Drupal pages. The module did not properly clean user input before displaying it, and did not properly check for access permissions, allowing users with "administer coolaid" to inject scripts anywhere on a site. The XSS...

4.9CVSS5.4AI score0.01207EPSS
Exploits0References10
Drupal
Drupal
added 2012/02/29 12:0 a.m.27 views

SA-CONTRIB-2012-027 - Submenu Tree -Cross Site Scripting

CVE: CVE-2012-1651 The Submenu Tree module allows sufficiently privileged users to show a list of menu entries when displaying a node. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. The vulnerability is...

3.5CVSS5.5AI score0.01046EPSS
Exploits0References11
Drupal
Drupal
added 2025/05/21 12:0 a.m.26 views

Admin Audit Trail - Less critical - Denial of Service - SA-CONTRIB-2025-068

The Admin Audit Trail module tracks logs of specific events that you'd like to review. When the submodule Admin Audit Trail: User Authentication is enabled, it logs user authentication events login, logout, and password reset requests. The module does not sufficiently limit some large values befo...

6.5CVSS7.2AI score0.00267EPSS
Exploits0References2
Drupal
Drupal
added 2025/04/09 12:0 a.m.26 views

Panels - Critical - Access bypass - SA-CONTRIB-2025-033

Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages. The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission. This vulnerability is...

6.5CVSS6.7AI score0.00361EPSS
Exploits0References2
Drupal
Drupal
added 2024/08/28 12:0 a.m.26 views

Advanced Varnish - Moderately critical - Access bypass - SA-CONTRIB-2024-033

This module enables you to cache pages for logged in users at the Varnish level. The Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when...

5.3CVSS6.9AI score0.00359EPSS
Exploits0References5
Drupal
Drupal
added 2023/11/15 12:0 a.m.26 views

Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052

This module enables you to pay online via Mollie. The module might not properly load the correct order to update the payment status when Mollie redirects to the redirect URL. This can allow an attacker to apply other people's orders to their own, getting credit without paying. This vulnerability ...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2022/05/04 12:0 a.m.26 views

Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities. The module has a vulnerability which allows attackers to bypass the protection ...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2019/12/18 12:0 a.m.26 views

Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt...

6.7AI score
Exploits0References14
Drupal
Drupal
added 2015/11/11 12:0 a.m.26 views

UC Profile - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-165

UC Profile module enables you to collect profile fields for users during the checkout process of Ubercart as a checkout pane. The module doesn't sufficiently check access to profiles under certain circumstances. Depending on the information being collected, sensitive data may be exposed. This...

4.3CVSS6.1AI score0.01087EPSS
Exploits0References11
Drupal
Drupal
added 2015/10/07 12:0 a.m.26 views

Entity Registration - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-155

This module enables you to manage registrations for events. The module doesn't sufficiently protect information about who is registered to attend specific events when anonymous users are granted a permission that is commonly recommended when allowing anonymous registrations. This vulnerability is...

4.3CVSS4.5AI score0.01392EPSS
Exploits0References11
Drupal
Drupal
added 2015/09/01 12:0 a.m.26 views

Spotlight - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-142

The Spotlight module provides a tool that mimics Mac OS X Spotlight functionality. It provides faster access to content, paths and uploaded files. The module doesn't sufficiently sanitize node titles when displayed in results. This vulnerability is mitigated by the fact that an attacker must have...

3.5CVSS6.3AI score0.00774EPSS
Exploits0References9
Drupal
Drupal
added 2015/08/19 12:0 a.m.26 views

Workbench Email - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2015-139

Workbench Email module provides a way for administrators to define email transitions and configurable email subject / messages between those transitions. The module causes node and field validations to be skipped when saving nodes. The vulnerability is mitigated by the fact that an attacker must...

3.5CVSS6.4AI score0.00914EPSS
Exploits0References10
Drupal
Drupal
added 2015/05/27 12:0 a.m.26 views

Chamilo integration - Less Critical - Open Redirect - SA-CONTRIB-2015-115

Chamilo integration module integrates Drupal with Chamilo LMS. The module has an Open Redirect vulnerability, it doesn't sufficiently check passed parameters in the URL. An attacker could trick users to visit malicious sites without realizing it. CVE identifiers issued CVE-2015-5503 Versions...

5.8CVSS6.1AI score0.01204EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/04 12:0 a.m.26 views

SA-CONTRIB-2015-066 - Tracking Code - Cross Site Request Forgery (CSRF)

Tracking Code module allows you to create tracking code snippets and control their visibility. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to disable tracking codes by getting their browser to make a request to a specially-crafted UR...

6.8CVSS6.7AI score0.01055EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/21 12:0 a.m.26 views

SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)

Shibboleth Authentication module allows users to log in and get permissions based on federated SAML2 authentication. The roles that are assigned to users are based on a matching list. A malicious attacker can delete matching rules from the list by getting the administrator's browser to make a...

5.8CVSS6.5AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.26 views

SA-CONTRIB-2015-004 - Context - Open Redirect

Context allows you to manage contextual conditions and reactions for different portions of your site. Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby...

5.8CVSS6.1AI score0.0219EPSS
Exploits0References11
Total number of security vulnerabilities1940