1940 matches found
SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities
Monster Menus enables you to create granular page permissions, and apply them to a hierarchical page structure. The mmwebform submodule enables you to assign permissions derived from Monster Menus to webform forms. The module doesn't sufficiently filter titles entered into page settings and echoe...
SA-CONTRIB-2013-044 - elFinder file manager - Cross Site Request Forgery (CSRF)
The elfinder module provides an AJAX-based file manager based on the elFinder javascript library. The module doesn't sufficiently verify requests thereby exposing a Cross Site Request Forgery CSRF vulnerability. This would enable an attacker to create, modify, or delete files on the server. There...
SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service
This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module interferes with Drupal's page cache and allows an attacker to poison the cache with non-HTML page responses, thereby exposing ...
SA-CONTRIB-2013-026 - Best Responsive Theme - Cross Site Scripting (XSS)
Best Responsive theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...
SA-CONTRIB-2013-005 - Mark Complete Module - Cross Site Request Forgery (CSRF)
This module enables you to update a date field on a node via an AJAX link on the node view page. The module doesn't sufficiently guard against Cross Site Request Forgery CSRF. CVE identifiers issued CVE-2013-0207 Versions affected Mark Complete 7.x-1.x versions prior to 7.x-1.1. Drupal core is no...
SA-CONTRIB-2012-170 - MultiLink - Access Bypass
MultiLink allows you to generate in-content links to a suitable node or node translation based on the visitor's language preferences. It allows the Node Title of the target node to be shown as the visible text and title attribute for the generated link. Prior to versions 6.x-2.7 and 7.x-2.7 the...
SA-CONTRIB-2012-110 - Colorbox Node - Cross Site Scripting (XSS)
Colorbox Node gives the user the ability to display ANY page inside a colorbox modal without the header and footer. The module accepts some settings from URL parameters and didn't sufficiently validate them before printing them to the browser, allowing malicious users to inject script code into t...
SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS)
CVE: CVE-2012-2298 This module allows you to set a pattern for constructing "Real names" for users out of profile fields. The module does not sufficiently escape users' real names under certain circumstances which could lead to a Cross-Site Scripting XSS attack. Versions affected RealName 6.x-1.x...
SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities
The XSS issue is: CVE: CVE-2012-2078 The CSRF issue is: CVE: CVE-2012-2079 The Activity module keeps track of the things people do on your site and provides mini-feeds of these activities in blocks, in a specialized table, and via RSS. The module is extensible so that any other module can integra...
Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038
The Basket module enables e-commerce and checkout functionality for Drupal sites. The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize. An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the...
Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090
This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format. The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover,...
Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087
This module provides a format filter, which allows you to "disable" iframes e.g. remove their src attribute specified by the user. These elements will be enabled again, once the Cookies banner is accepted. The module doesn't sufficiently filter user-supplied content when their value might contain...
Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086
This module enables you to use configpages as a content entity. The module doesn't check permission or entity access before rendering configpages content...
Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077
This module enables you to generate Table of content of your pages given a configuration. The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to...
Piwik PRO - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-058
This module enables you to add the Piwik Pro web statistics tracking system to your website. The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website. This vulnerability...
UEditor - 百度编辑器 - Critical - Unsupported - SA-CONTRIB-2025-044
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024
The Migrate queue importer module enables you to create cron migrationsconfiguration entities with a reference towards migration entities in order to import them during cron runs. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an...
Registration role - Critical - Access bypass - SA-CONTRIB-2024-015
The Registration role module lets an administrator select a role or multiple roles to automatically assign to new users. The selected role or roles will be assigned to new registrants. The module has a logic error when handling sites that upgraded code and did not run the Drupal update process e....
CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009
The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code. The vulnerability is mitigated by the fact it requires: full-pa...
GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051
The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates create, update, delete through mutations. The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. I...
Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009
The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots. The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass...
CKEditor 4 - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007
The CKEditor module and its predecessor, FCKeditor module allows Drupal to replace textarea fields with CKEditor 3.x/4.x FCKeditor 2.x in case of FCKeditor module - a visual HTML editor, sometimes called WYSIWYG editor. Due to the usage of the JavaScript eval function on non-filtered data in admi...
Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011
The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations...
CKEditor Upload Image - Critical - Access bypass - SA-CONTRIB-2018-014
This module enables you to drag and drop or paste images into CKEditor. The module does not sufficiently verify users permissions, which leads to anonymous users being able to upload files to the server...
netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077
The netFORUM Authentication module implements external authentication for users against netFORUM. The module does not correctly use flood control making it susceptible to brute force attacks...
PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030
This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process. The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account. In...
Elysia Cron - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-052
This module enables you to manage cron jobs. The module doesn't sufficiently sanitize the cron rules which are entered into "Predefined rules" field thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
Mass Contact - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-144
This module allows anyone with permission to send a single message to multiple users of a site, using the site's roles and/or taxonomy functionality. The module doesn't sufficiently sanitize the category labels when they are displayed. This vulnerability is mitigated by the fact that an attacker...
HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127
The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module allows account creation through social login when the configuration is set to allow user registration by...
Administration Views - Moderately Critical - Access Bypass - SA-CONTRIB-2015-122
This module replaces administrative overview/listing pages with Views for improved usability. When combined with other contributed or custom modules, the Administration Views module improperly grants users access to administration pages including the permissions page. This vulnerability is...
Novalnet Payment Module Drupal Commerce - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-117
This module enables you add the Novalnet payment service provider to Drupal Commerce. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can...
User Import - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-093
This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file comma separated file. Some management URLs were not properly protected. A malicious user could trick an administrator into continuing or deleting an ongoing import by getting them to...
Webform Multiple File Upload - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-083
Webform Multiple File Upload module enables you to upload multiple files at once in webforms. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with edit access to webforms to delete files by getting their browser to make a request to a...
SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting (XSS)
Site Documentation module enables you to display detailed configuration information. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...
SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting (XSS)
This module enables you to add a block to allow visitors to subscribe to a site's newsletter. The module failed to sanitize some block content, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...
SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported
Spider Contacts module provides a user-friendly way to manage and display contacts. The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker mus...
SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS)
This module enables you to merge synonymous taxonomy terms among themselves. The module doesn't sufficiently filter user input under certain conditions, thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to create...
SA-CONTRIB-2015-001 - OPAC - Cross Site Request Forgery (CSRF)
OPAC module enables you to create mappings between node fields and ILS record fields. The module doesn't ask for confirmation when removing a mapping, leaving this operation vulnerable to cross-site request forgery CSRF attacks. CVE identifiers issued CVE-2015-3343 Versions affected OPAC 7.x-2.x...
SA-CONTRIB-2014-047 - Zen - Cross Site Scripting
The Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design. The theme does not properly sanitize theme settings before they are used in the output of a page. Themes that have copied code from Zen's template.php may suffer from this same issue. If you...
SA-CONTRIB-2014-029 - Mime Mail - Access Bypass
The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. By default the module only allows files to be embedded or attached that are located in the public files directory. The module doesn't sufficiently check the file location, considering similar...
SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass
Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view access. CVE identifiers issued CVE-2013-4596...
SA-CONTRIB-2013-085 - Feed Element Mapper - Cross Site Scripting
Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. The module doesn't sufficiently filter text when displaying options to users. This vulnerability is mitigated by the fact that an attacker must have a...
SA-CONTRIB-2013-061 - Flippy - Access Bypass
This module enables you to generate previous/next links for content types. The module doesn't sufficiently enforce node access when generating previous/next links. A user may be presented with a link including alias if one is set but will not be able to view the node content. This vulnerability i...
SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)
This module enables you to easily enable a Flash MP3 Player on a CCK FileField. The module doesn't sufficiently filter user-supplied text from mp3 filenames. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield wi...
SA-CONTRIB-2013-028 - Responsive Blog Theme - Cross Site Scripting (XSS)
Responsive Blog Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...
SA-CONTRIB-2013-023 - Varnish module - Cross Site Scripting (XSS)
This module provides integration between your Drupal site and the Varnish HTTP Accelerator, an advanced and very fast reverse-proxy system. The module doesn't sufficiently filter user-supplied text provided in the configuration settings. This vulnerability is mitigated by the fact that an attacke...
SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross Site Scripting (XSS)
These modules enable you to substitutes text emoticons, like :-, with images. These modules don't sufficiently sanitize user defined smiley acronyms before displaying smiley images. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...
SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request forgery (CSRF)
This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...
SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords
This module provides a way to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a password policy. The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X...
SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution
The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent. The module allows a user with the 'send scheduled newsletters'...