Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2015/01/21 12:0 a.m.26 views

SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)

Shibboleth Authentication module allows users to log in and get permissions based on federated SAML2 authentication. The roles that are assigned to users are based on a matching list. A malicious attacker can delete matching rules from the list by getting the administrator's browser to make a...

5.8CVSS6.5AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.26 views

SA-CONTRIB-2015-004 - Context - Open Redirect

Context allows you to manage contextual conditions and reactions for different portions of your site. Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby...

5.8CVSS6.1AI score0.0219EPSS
Exploits0References11
Drupal
Drupal
added 2014/10/22 12:0 a.m.26 views

SA-CONTRIB-2014-100 - Bad Behavior - Information Disclosure

This module enables you to to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts. Information Disclosure The module doesn't sufficiently sanitize log data, allowing...

4CVSS6.4AI score0.01218EPSS
Exploits0References11
Drupal
Drupal
added 2014/09/10 12:0 a.m.26 views

SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure

Drupal Commerce is used to build eCommerce websites and applications of all sizes. The commerceorder module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of...

5CVSS5.9AI score0.01173EPSS
Exploits0References11
Drupal
Drupal
added 2014/07/02 12:0 a.m.26 views

SA-CONTRIB-2014-067 - Meta Tags Quick - Multiple vulnerabilities

Meta tags quick adds meta tags editing to all non-administrative pages of Drupal site. Redirector abuse in path-based meta tag editing form When editing a path-based meta tag, module does not check destination parameter of the URL, allowing attacker to pass arbitrary URL to meta tag editing form...

5.5CVSS5.9AI score0.01308EPSS
Exploits0References11
Drupal
Drupal
added 2014/04/30 12:0 a.m.26 views

SA-CONTRIB-2014-046 - Context Form Alteration - Cross Site Scripting (XSS)

The Context Form Alteration module enables admins to alter forms via Context reactions. The module doesn't sufficiently sanitize user input entered within the Context configuration UI. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
added 2014/04/09 12:0 a.m.26 views

SA-CONTRIB-2014-038 - SimpleCorp theme - Cross Site Scripting

SimpleCorp theme is a free responsive Drupal theme. The SimpleCorp theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers...

3.5CVSS6.4AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2013/12/04 12:0 a.m.26 views

SA-CONTRIB-2013-097 - OG Features - Access bypass

This module enables you to enable and disable bundles of functionality for individual Organic groups. In order to provide this functionality, this module must override all menu callbacks available in the system, in order to delegate access based on the current Organic group you are contextually i...

5.8CVSS6.1AI score0.01218EPSS
Exploits0References12
Drupal
Drupal
added 2013/09/11 12:0 a.m.26 views

SA-CONTRIB-2013-076 - jQuery Countdown - Cross Site Scripting (XSS)

This jQuery Countdown Module enables you to display a countdown block based upon date settings. The jQuery Countdown Module does not properly sanitize the settings, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability ...

2.1CVSS5.7AI score0.00931EPSS
Exploits0References10
Drupal
Drupal
added 2013/08/07 12:0 a.m.26 views

SA-CONTRIB-2013-064 - Persona - Cross site request forgery (CSRF)

This module enables users to sign into a Drupal website using Mozilla Persona. The module uses a security token to ensure that a sign-in request is made from a web page that is participating in the current session. It was possible for a security token that was not of type "string" to be accepted ...

8.8CVSS8.6AI score0.00761EPSS
Exploits0References10
Drupal
Drupal
added 2013/08/07 12:0 a.m.26 views

SA-CONTRIB-2013-065 - Organic Groups - Access Bypass

This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module allows any authenticated user to guess the node ID of private groups, and subscribe to them without...

4.3CVSS4.5AI score0.01157EPSS
Exploits0References11
Drupal
Drupal
added 2013/02/27 12:0 a.m.26 views

SA-CONTRIB-2013-031 - Premium Responsive theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.26 views

SA-CONTRIB-2013-025 - Fresh Theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00962EPSS
Exploits0References10
Drupal
Drupal
added 2012/12/05 12:0 a.m.26 views

SA-CONTRIB-2012-173 - Nodewords: Information disclosure

This module enables you to assign meta tags on Drupal 6 sites to aid with 3rd party search indexing and sharing on social networks. The module doesn't correctly filter node content when configured to automatically generate descriptions meta tags from the node text. This lack of filtering could...

4.3CVSS6.4AI score0.01191EPSS
Exploits0References12
Drupal
Drupal
added 2012/06/27 12:0 a.m.26 views

SA-CONTRIB-2012-105 - Hashcash - Cross Site Scripting (XSS)

The Hashcash project is an implementation of a Proof Of Work POW or Puzzle scheme where users of a service have to do computational work to have their request granted. In the case of the Drupal Hashcash project, the service is 'form submission' and the Proof Of Work is a token that causes a parti...

2.6CVSS5.7AI score0.01155EPSS
Exploits0References8
Drupal
Drupal
added 2012/06/06 12:0 a.m.26 views

SA-CONTRIB-2012-095 - Simplenews - Information Disclosure

Simplenews publishes and sends newsletters. When subscribing to a Simplenews mailing list, confirmation may be required, and Simplenews may disclose the user's e-mail address on the confirmation page. Further, due to the absence of a noindex tag, the list of e-mail addresses can subsequently be...

5.3CVSS5.3AI score0.02453EPSS
Exploits0References13
Drupal
Drupal
added 2012/05/16 12:0 a.m.26 views

SA-CONTRIB-2012-077 - Advertisement - Cross Site Scripting & Information Disclosure

XSS Issue: CVE: CVE-2012-2703. Access bypass: CVE: CVE-2012-2704 This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages. The module could, under certain conditions, expose limited site configuration information and a debugging mode did not...

5CVSS5.1AI score0.01873EPSS
Exploits2References12
Drupal
Drupal
added 2012/03/28 12:0 a.m.26 views

SA-CONTRIB-2012-049 - ShareThis - Multiple Vulnerablies

The XSS issue is CVE: CVE-2012-2076 The CSRF issue is CVE: CVE-2012-2077 The ShareThis module allows you to display social networking tools to users. The administration forms of the module do not properly use the Form API allowing a malicious user to inject unexpected settings, allowing for...

5.1CVSS5.2AI score0.01607EPSS
Exploits0References11
Drupal
Drupal
added 2012/03/14 12:0 a.m.26 views

SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution

CKEditor and its predecessor FCKeditor allow Drupal to replace textarea fields with the FCKEditor - a visual HTML WYSIWYG editor. The modules have an AJAX callback that filters text to prevent Cross site scripting attacks on content edits. This AJAX callback function contains a number of bugs whi...

6.8CVSS5.9AI score0.0153EPSS
Exploits0References9
Drupal
Drupal
added 2006/10/18 12:0 a.m.26 views

DRUPAL-SA-2006-026 - Drupal core - Form action attribute injection

A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2006/06/01 12:0 a.m.26 views

SA-2006-007 - Drupal Core - Revision to DRUPAL-SA-2006-006

Recently, the Drupal security team was informed of a potential exploit that would allow untrusted code to be executed upon a successful request by a malicious user. If a dynamic script with multiple extensions such as file.php.pps or file.sh.txt is uploaded and then accessed from a web browser...

6.5AI score
Exploits0References3
Drupal
Drupal
added 2025/06/25 12:0 a.m.25 views

Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079

Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events. The module doesn't sufficiently protect certain routes from Cross Site Request Forgery CSRF attacks. Users can be tricked into accepting or rejecting these...

8.8CVSS6.5AI score0.00161EPSS
Exploits0References3
Drupal
Drupal
added 2025/06/25 12:0 a.m.25 views

Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083

Simple XML sitemap is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines. The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting XSS attack vector. This vulnerability is mitigated ...

5.4CVSS5.6AI score0.00186EPSS
Exploits0References3
Drupal
Drupal
added 2025/06/25 12:0 a.m.25 views

Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077

This module enables you to generate Table of content of your pages given a configuration. The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to...

6.1CVSS5.4AI score0.00186EPSS
Exploits0References2
Drupal
Drupal
added 2025/04/23 12:0 a.m.25 views

Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043

Block Class enables you to add custom attributes to blocks. The module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute. This vulnerability is mitigated by the fact that an attacker must have a ro...

6.1CVSS5.9AI score0.00198EPSS
Exploits0References2
Drupal
Drupal
added 2025/03/05 12:0 a.m.25 views

AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021

The AI Automators module a submodule of AI enables you to create different automated tasks that fills out field data using LLM outputs. The module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrar...

7.5CVSS7.3AI score0.00717EPSS
Exploits0References2
Drupal
Drupal
added 2024/01/24 12:0 a.m.25 views

Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005

Open Social is a Drupal distribution for online communities. The included optional socialgroupflexiblegroup module doesn't sufficiently validate group updates. The lack of validation makes it possible to have content inside the group changing it's visibility, which could lead to that content bein...

9.1CVSS7AI score0.00347EPSS
Exploits0References7
Drupal
Drupal
added 2024/01/24 12:0 a.m.25 views

Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled. This vulnerability is mitigated by the fact that a...

9.8CVSS7.3AI score0.00549EPSS
Exploits0References10
Drupal
Drupal
added 2023/11/08 12:0 a.m.25 views

GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates create, update, delete through mutations. The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. I...

7AI score
Exploits0References8
Drupal
Drupal
added 2023/03/15 12:0 a.m.25 views

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files. This release was coordinated with SA-CONTRIB-2023-010. This advisory is not covered by Drupal Steward...

3.1AI score
Exploits0References14
Drupal
Drupal
added 2022/03/23 12:0 a.m.25 views

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2018/10/17 12:0 a.m.25 views

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-070

This Search Autocomplete module enables you to autocomplete textfield using data from your website nodes, comments, etc... The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting XSS vulnerability. This vulnerability can be exploit...

6.1CVSS5.9AI score0.00793EPSS
Exploits0References6
Drupal
Drupal
added 2017/02/15 12:0 a.m.25 views

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-016

The Search API Sorts module allows the site administrator to configure custom sort options for their search results and expose the control interface via the core block system. The module doesn't sufficiently sanitise the name of the sort option which is displayed to users. This vulnerability is...

6.8AI score
Exploits0References14
Drupal
Drupal
added 2017/01/11 12:0 a.m.25 views

OpenLucius - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-004

OpenLucius is a work management platform for social communication, documentation, and projects. The distribution doesn't sufficiently use tokens when marking messages for users as read thereby exposing a Cross Site Request Forgery CSRF vulnerability. The distribution does not sufficiently filter...

6.4AI score
Exploits0References11
Drupal
Drupal
added 2015/12/16 12:0 a.m.25 views

Values - Critical - Arbitrary PHP code execution - SA-CONTRIB-2015-172

This module enables you to create key|value pairs for use in list fields, webforms etc. The module includes an import page that runs eval on an exported code block ctools, but the permission for the page does not warn about security concerns of importing raw php code like this trusted permission...

9CVSS9.2AI score0.01481EPSS
Exploits0References11
Drupal
Drupal
added 2015/11/04 12:0 a.m.25 views

Login Disable - Access Bypass - Moderately Critical - SA-CONTRIB-2015-162

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module doesn't support other contributed user authentication modules like CAS or URL Login. When combined with...

7.5CVSS6.4AI score0.01645EPSS
Exploits0References8
Drupal
Drupal
added 2015/06/17 12:0 a.m.25 views

Content Construction Kit (CCK) - Less Critical - Open Redirect - SA-CONTRIB-2015-126

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. CCK uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain...

5.8CVSS6.3AI score0.01204EPSS
Exploits0References12
Drupal
Drupal
added 2015/06/17 12:0 a.m.25 views

Acquia Cloud Site Factory Connector - Less Critical - Open Redirect - SA-CONTRIB-2015-125

Acquia Cloud Site Factory provides an environment and a robust set of tools that simplify management of many Drupal sites, allowing you to quickly deliver and manage any number of websites. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an ope...

5.8CVSS6AI score0.02763EPSS
Exploits0References13
Drupal
Drupal
added 2015/06/17 12:0 a.m.25 views

HTTP Strict Transport Security - Moderately Critical - Logical Error - SA-CONTRIB-2015-118

The contributed HSTS module makes it easy for site administrators to implement HTTP Strict Transport Security HSTS by setting the Strict-Transport-Security header on each page generated by Drupal. HSTS module provides a configuration UI for the HSTS "include subdomains" directive, which indicates...

6.8CVSS9.4AI score0.01622EPSS
Exploits0References9
Drupal
Drupal
added 2015/06/17 12:0 a.m.25 views

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123

The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-002. Only sites with the Overlay module enabled are vulnerable. CVE identifiers issued...

5.8CVSS6AI score0.02763EPSS
Exploits0References13
Drupal
Drupal
added 2015/06/03 12:0 a.m.25 views

Novalnet Payment Module Drupal Commerce - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-117

This module enables you add the Novalnet payment service provider to Drupal Commerce. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can...

7.5CVSS7.3AI score0.0196EPSS
Exploits0References8
Drupal
Drupal
added 2015/03/25 12:0 a.m.25 views

Ubercart Webform Checkout Pane - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-087

Ubercart Webform Checkout Pane module allows you to define Webform nodes as checkout/order panes in Ubercart. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an...

3.5CVSS6AI score0.01122EPSS
Exploits0References12
Drupal
Drupal
added 2015/02/18 12:0 a.m.25 views

SA-CONTRIB-2015-047 - Panopoly Magic - Cross Site Scripting (XSS)

This module enables live previews of Panels panes in the modal dialog for adding or editing them. The module doesn't sufficiently filter the pane title when re-rendering the live preview. This vulnerability is mitigated by the fact that an attacker must have permission to add or edit Panels panes...

3.5CVSS6.3AI score0.00936EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/18 12:0 a.m.25 views

SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution

Avatar Uploader module provides an alternative way to upload user pictures. The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This...

6.5CVSS7AI score0.01844EPSS
Exploits0References11
Drupal
Drupal
added 2015/02/11 12:0 a.m.25 views

SA-CONTRIB-2015-039 - Views - Multiple vulnerabilities

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Open redirect vulnerability The module does not sanitize user provided URLs when processing the page to break the lock on Views bei...

4.9CVSS6AI score0.0158EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/04 12:0 a.m.25 views

SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass

This module enables you to configure breadcrumbs for any Drupal page. The module doesn't check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user. This vulnerability is mitigated by the fact that it is possible to configure proper access...

5CVSS6.3AI score0.01423EPSS
Exploits0References11
Drupal
Drupal
added 2015/01/14 12:0 a.m.25 views

SA-CONTRIB-2015-021 - Content Analysis - Cross Site Scripting (XSS)

The Content Analysis module is an API designed to help modules that need to analyze content. The module fails to sanitize user input in log messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that only sites with dblog module enabled are...

4.3CVSS5.6AI score0.01184EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/14 12:0 a.m.25 views

SA-CONTRIB-2015-016 - Tadaa! - Multiple vulnerabilities

Tadaa! is a module aimed at simplifying the process of enabling/disabling modules and altering configuration when switching between different environments, e.g. Production/Staging/Development. The module exposes multiple paths that were not protected against Cross Site Request Forgeries CSRF. A...

6.8CVSS6.2AI score0.01204EPSS
Exploits0References10
Drupal
Drupal
added 2014/12/10 12:0 a.m.25 views

SA-CONTRIB-2014-122 - MoIP - Cross Site Scripting (XSS)

This module enables you to use Moip a Brazilian payment method with Drupal Commerce. The module doesn't sufficiently filter the data passed by the automatic notifications, leaving the possibility for a malicious user to insert Cross Site Scripting xss attacks. This vulnerability is mitigated by t...

4.3CVSS6AI score0.01161EPSS
Exploits0References11
Drupal
Drupal
added 2014/10/15 12:0 a.m.25 views

SA-CONTRIB-2014-099 - Open Atrium Core - Access bypass

The oacore module contains the base access control mechanism for the Open Atrium distribution OA2. In OA2, file attachments are given the same access permission as the node they are attached to. The vulnerability is when an attachment is removed from a node that has Revisions enabled. It allows...

5CVSS6.4AI score0.01209EPSS
Exploits0References9
Total number of security vulnerabilities1940