SA-CONTRIB-2012-108 - Drag & Drop Gallery - Arbitrary PHP code execution

Important note: Most of the vulnerabilities discussed below can be exploited when the Drag & Drop Gallery module is disabled on a Drupal site. See Solution below for details. The Drag & Drop Gallery creates a gallery node type that allows you add images to the gallery by dragging and dropping...

SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability. Failure to encrypt data: Exploitable from local CVE: CVE-2012-2299...

SA-CONTRIB-2012-058 - Fivestar - Input Validation

CVE: CVE-2012-2096 The Fivestar module enables you to add a voting widget to nodes and comments. The module does not sufficiently validate all votes passed by the asynchronous voting widget allowing a malicious user to improperly modify voting averages. Versions affected Fivestar 6.x-1.x versions...

SA-CONTRIB-2012-016 - Forward module CSRF and Access bypass

The Forward module enables you to add a "forward this page" link to each node. The link takes regular site visitors to a form where they can generate an email to a friend. The module exhibits multiple vulnerabilities as described below. The module includes "Recent forwards" and "Most forwarded"...

SA-CONTRIB-2012-006 XSS and CSRF in Multiple Modules - Supercron, Taxotouch, Admin:hover, Taxonomy Navigator no longer supported

CVE: CVE-2012-1628 SuperCron is a complete replacement for Drupal's built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with "access administration pages" permission. CVE: CVE-2012-1629 Taxotouch...

SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations

Certain -- alas, typical -- configurations of Apache allows execution of carefully named arbitrary scripts in the files directory. Drupal now will attempt to automatically create a .htaccess file in your "files" directory to protect you. This line references SA2006006 to lead Apache administrator...

Admin Audit Trail - Less critical - Denial of Service - SA-CONTRIB-2025-068

The Admin Audit Trail module tracks logs of specific events that you'd like to review. When the submodule Admin Audit Trail: User Authentication is enabled, it logs user authentication events login, logout, and password reset requests. The module does not sufficiently limit some large values befo...

Sportsleague - Critical - Unsupported - SA-CONTRIB-2025-045

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002

Bulk operations allow authorized users to modify several nodes at once from the Content page /admin/content. A site builder can also add bulk operations to other pages using Views. A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have...

Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002

Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site. The issue is mitigated by the fact that several non-defau...

Advanced Varnish - Moderately critical - Access bypass - SA-CONTRIB-2024-033

This module enables you to cache pages for logged in users at the Varnish level. The Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when...

Search API attachments - Critical - Arbitrary PHP code execution - SA-CONTRIB-2021-034

This module enables you to extract the textual content of files for use on a website, e.g. to display it or use it in search indexes. The module doesn't sufficiently protect the administrator-defined commands that are executed on the server, which leads to post-authentication remote code executio...

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2020-007

The Drupal AJAX API does not disable JSONP by default, which can lead to cross-site scripting...

Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt...

Prepopulate - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-009

The Prepopulate module allows form fields to be pre-populated in the request. The Prepopulate module does not adequately prevent a user from overwriting arbitrary parts of $REQUEST. It also does not prevent pre-populating certain fields that are not displayed or manipulating markup fields to alte...

UC Profile - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-165

UC Profile module enables you to collect profile fields for users during the checkout process of Ubercart as a checkout pane. The module doesn't sufficiently check access to profiles under certain circumstances. Depending on the information being collected, sensitive data may be exposed. This...

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-158

The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-004. Only sites with the Overlay module enabled are vulnerable. An incomplete fix for...

Scald - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-151

This module enables you to easily manage your media assets and re-use them in all your content. The module provided a "debug" context that gave access to all the atom properties, including all the fields attached to this atom, without applying the corresponding field restrictions. This...

Chamilo integration - Less Critical - Open Redirect - SA-CONTRIB-2015-115

Chamilo integration module integrates Drupal with Chamilo LMS. The module has an Open Redirect vulnerability, it doesn't sufficiently check passed parameters in the URL. An attacker could trick users to visit malicious sites without realizing it. CVE identifiers issued CVE-2015-5503 Versions...

SA-CONTRIB-2015-040 - Webform prepopulate block - Cross Site Scripting (XSS)

Webform prepopulate block module enables you to set a webform component to display in a separated block. The module doesn't sufficiently sanitize user supplied text when displaying the block, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that a...

SA-CONTRIB-2015-003 - PHPlist Integration Module - SQL Injection

The PHPlist Integration module provides an integration between a Drupal website and phpList newsletter manager. The module provides two main features: user sync and sending a node as a newsletter. The module introduces a SQL Injection vulnerability to the phpList database. The Drupal database is...

SA-CONTRIB-2015-004 - Context - Open Redirect

Context allows you to manage contextual conditions and reactions for different portions of your site. Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby...

SA-CONTRIB-2014-078 - Notify - Access bypass

The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites. The Notify module does not sufficiently check whether the user has access to recently added or...

SA-CONTRIB-2014-038 - SimpleCorp theme - Cross Site Scripting

SimpleCorp theme is a free responsive Drupal theme. The SimpleCorp theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers...

SA-CONTRIB-2013-076 - jQuery Countdown - Cross Site Scripting (XSS)

This jQuery Countdown Module enables you to display a countdown block based upon date settings. The jQuery Countdown Module does not properly sanitize the settings, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability ...

SA-CONTRIB-2013-064 - Persona - Cross site request forgery (CSRF)

This module enables users to sign into a Drupal website using Mozilla Persona. The module uses a security token to ensure that a sign-in request is made from a web page that is participating in the current session. It was possible for a security token that was not of type "string" to be accepted ...

SA-CONTRIB-2013-062 - RESTful Web Services (RESTWS) - Access Bypass

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently check for field level access when preforming entity write operations on POST and PUT requests. It also do...

SA-CONTRIB-2013-037 - Rules - Cross Site Scripting (XSS)

The Rules module allows site administrators to define conditionally executed actions based on occurring events known as reactive or ECA rules. It's a replacement with more features for the trigger module in core. The module contains a persistent cross site scripting XSS vulnerability due to the...

SA-CONTRIB-2013-020 - Ubercart - Cross site scripting (XSS)

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The "full name" field in Views did not properly sanitize output. The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order. C...

SA-CONTRIB-2013-011 - email2image - Access Bypass - Unsupported

This module creates images of user email addresses and email fields. The module doesn't sufficiently check node access restrictions when displaying such fields. This vulnerability is mitigated by the fact that it only impacts sites using node access. CVE identifiers issued CVE-2013-0257 Versions...

SA-CONTRIB-2012-149 - Hostip - Cross Site Scripting (XSS)

Hostip enables you to query the http://www.hostip.info/ API to get the country / state information based on the user's IP address or a specific IP passed to it. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection...

SA-CONTRIB-2012-096 - Authoring HTML - Cross Site Scripting (XSS)

This module creates an input format suitable for use within a WYSIWYG editor. It adds support for the iframe HTML tag, making it friendly with the popular iframe embeds available in popular video sites like YouTube and Vimeo. It supports the script tag too. Both tags will only be allowed if the...

SA-CONTRIB-2012-077 - Advertisement - Cross Site Scripting & Information Disclosure

XSS Issue: CVE: CVE-2012-2703. Access bypass: CVE: CVE-2012-2704 This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages. The module could, under certain conditions, expose limited site configuration information and a debugging mode did not...

SA-CONTRIB-2012-025 - Cool aid; Editable help messages - Multiple vulnerabilities

Cool aid is a Drupal module that allows users to add custom help messages to Drupal pages. The module did not properly clean user input before displaying it, and did not properly check for access permissions, allowing users with "administer coolaid" to inject scripts anywhere on a site. The XSS...

Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069

This module integrates Drupal with LightGallery, enabling the use of the LightGallery library with any image field or view. The module does not adequately sanitize user input in the image field’s "alt" attribute, potentially allowing cross-site scripting XSS attacks when tags or scripts are...

Panels - Critical - Access bypass - SA-CONTRIB-2025-033

Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages. The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission. This vulnerability is...

GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates create, update, delete through mutations. The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. I...

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An...

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-016

The Search API Sorts module allows the site administrator to configure custom sort options for their search results and expose the control interface via the core block system. The module doesn't sufficiently sanitise the name of the sort option which is displayed to users. This vulnerability is...

OpenLucius - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-004

OpenLucius is a work management platform for social communication, documentation, and projects. The distribution doesn't sufficiently use tokens when marking messages for users as read thereby exposing a Cross Site Request Forgery CSRF vulnerability. The distribution does not sufficiently filter...

Values - Critical - Arbitrary PHP code execution - SA-CONTRIB-2015-172

This module enables you to create key|value pairs for use in list fields, webforms etc. The module includes an import page that runs eval on an exported code block ctools, but the permission for the page does not warn about security concerns of importing raw php code like this trusted permission...

Chat Room - Moderately Critical - Access Bypass - SA-CONTRIB-2015-169

Chat Room enables site owners to integrate chats into nodes by adding the chat room field to them. The module relies on a websocket connection to send chat messages to the client. The module doesn't sufficiently validate access before setting up the websocket. As a result, users may receive...

Login Disable - Access Bypass - Moderately Critical - SA-CONTRIB-2015-162

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module doesn't support other contributed user authentication modules like CAS or URL Login. When combined with...

Entity Registration - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-155

This module enables you to manage registrations for events. The module doesn't sufficiently protect information about who is registered to attend specific events when anonymous users are granted a permission that is commonly recommended when allowing anonymous registrations. This vulnerability is...

Spotlight - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-142

The Spotlight module provides a tool that mimics Mac OS X Spotlight functionality. It provides faster access to content, paths and uploaded files. The module doesn't sufficiently sanitize node titles when displayed in results. This vulnerability is mitigated by the fact that an attacker must have...

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123

The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-002. Only sites with the Overlay module enabled are vulnerable. CVE identifiers issued...

Mobile sliding menu - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-108

The mobile sliding menu module integrates the mmenu jQuery plugin for creating slick, app look-alike sliding menus for your mobile website. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...

SA-CONTRIB-2015-025 - Patterns - Cross Site Request Forgery (CSRF)

Patterns module manages and automates site configuration. Site configurations stored in XML or YAML are called Patterns, and these are easy to read, modify, manage & share and can be executed manually or as a part of an automated web site deployment. Some links were not protected against CSRF. A...

SA-CONTRIB-2015-016 - Tadaa! - Multiple vulnerabilities

Tadaa! is a module aimed at simplifying the process of enabling/disabling modules and altering configuration when switching between different environments, e.g. Production/Staging/Development. The module exposes multiple paths that were not protected against Cross Site Request Forgeries CSRF. A...

SA-CONTRIB-2014-122 - MoIP - Cross Site Scripting (XSS)

This module enables you to use Moip a Brazilian payment method with Drupal Commerce. The module doesn't sufficiently filter the data passed by the automatic notifications, leaving the possibility for a malicious user to insert Cross Site Scripting xss attacks. This vulnerability is mitigated by t...