Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
•added 2013/08/07 12:0 a.m.•25 views

SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities

Monster Menus enables you to create granular page permissions, and apply them to a hierarchical page structure. The mmwebform submodule enables you to assign permissions derived from Monster Menus to webform forms. The module doesn't sufficiently filter titles entered into page settings and echoe...

2.1CVSS5.7AI score0.01099EPSS
Exploits1References9
Drupal
Drupal
•added 2013/04/17 12:0 a.m.•25 views

SA-CONTRIB-2013-044 - elFinder file manager - Cross Site Request Forgery (CSRF)

The elfinder module provides an AJAX-based file manager based on the elFinder javascript library. The module doesn't sufficiently verify requests thereby exposing a Cross Site Request Forgery CSRF vulnerability. This would enable an attacker to create, modify, or delete files on the server. There...

4.3CVSS6.6AI score0.01354EPSS
Exploits0References13
Drupal
Drupal
•added 2013/04/10 12:0 a.m.•25 views

SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module interferes with Drupal's page cache and allows an attacker to poison the cache with non-HTML page responses, thereby exposing ...

4.3CVSS6.4AI score0.01347EPSS
Exploits0References9
Drupal
Drupal
•added 2013/02/27 12:0 a.m.•25 views

SA-CONTRIB-2013-026 - Best Responsive Theme - Cross Site Scripting (XSS)

Best Responsive theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.7AI score0.01089EPSS
Exploits0References10
Drupal
Drupal
•added 2013/01/16 12:0 a.m.•25 views

SA-CONTRIB-2013-005 - Mark Complete Module - Cross Site Request Forgery (CSRF)

This module enables you to update a date field on a node via an AJAX link on the node view page. The module doesn't sufficiently guard against Cross Site Request Forgery CSRF. CVE identifiers issued CVE-2013-0207 Versions affected Mark Complete 7.x-1.x versions prior to 7.x-1.1. Drupal core is no...

6.8CVSS6.4AI score0.00643EPSS
Exploits0References10
Drupal
Drupal
•added 2012/11/28 12:0 a.m.•25 views

SA-CONTRIB-2012-170 - MultiLink - Access Bypass

MultiLink allows you to generate in-content links to a suitable node or node translation based on the visitor's language preferences. It allows the Node Title of the target node to be shown as the visible text and title attribute for the generated link. Prior to versions 6.x-2.7 and 7.x-2.7 the...

3.5CVSS6.3AI score0.00962EPSS
Exploits0References11
Drupal
Drupal
•added 2012/07/11 12:0 a.m.•25 views

SA-CONTRIB-2012-110 - Colorbox Node - Cross Site Scripting (XSS)

Colorbox Node gives the user the ability to display ANY page inside a colorbox modal without the header and footer. The module accepts some settings from URL parameters and didn't sufficiently validate them before printing them to the browser, allowing malicious users to inject script code into t...

4.3CVSS6.5AI score0.01161EPSS
Exploits0References10
Drupal
Drupal
•added 2012/04/25 12:0 a.m.•25 views

SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS)

CVE: CVE-2012-2298 This module allows you to set a pattern for constructing "Real names" for users out of profile fields. The module does not sufficiently escape users' real names under certain circumstances which could lead to a Cross-Site Scripting XSS attack. Versions affected RealName 6.x-1.x...

4.3CVSS5.5AI score0.02443EPSS
Exploits1References11
Drupal
Drupal
•added 2012/03/28 12:0 a.m.•25 views

SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities

The XSS issue is: CVE: CVE-2012-2078 The CSRF issue is: CVE: CVE-2012-2079 The Activity module keeps track of the things people do on your site and provides mini-feeds of these activities in blocks, in a specialized table, and via RSS. The module is extensible so that any other module can integra...

8.8CVSS6.2AI score0.00528EPSS
Exploits0References11
Drupal
Drupal
•added 2026/05/27 12:0 a.m.•24 views

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

The Basket module enables e-commerce and checkout functionality for Drupal sites. The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize. An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the...

6AI score0.00161EPSS
Exploits0References1
Drupal
Drupal
•added 2025/07/16 12:0 a.m.•24 views

Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090

This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format. The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover,...

6.1CVSS6.1AI score0.00223EPSS
Exploits0References3
Drupal
Drupal
•added 2025/07/09 12:0 a.m.•24 views

Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087

This module provides a format filter, which allows you to "disable" iframes e.g. remove their src attribute specified by the user. These elements will be enabled again, once the Cookies banner is accepted. The module doesn't sufficiently filter user-supplied content when their value might contain...

6.1CVSS5.8AI score0.00227EPSS
Exploits0References1
Drupal
Drupal
•added 2025/07/02 12:0 a.m.•24 views

Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086

This module enables you to use configpages as a content entity. The module doesn't check permission or entity access before rendering configpages content...

5.3CVSS6.3AI score0.00265EPSS
Exploits0References2
Drupal
Drupal
•added 2025/06/25 12:0 a.m.•24 views

Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077

This module enables you to generate Table of content of your pages given a configuration. The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to...

6.1CVSS5.4AI score0.00186EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•24 views

Piwik PRO - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-058

This module enables you to add the Piwik Pro web statistics tracking system to your website. The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website. This vulnerability...

4.8CVSS6.7AI score0.00189EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/23 12:0 a.m.•24 views

UEditor - 百度编辑器 - Critical - Unsupported - SA-CONTRIB-2025-044

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

7.3CVSS6.5AI score0.00318EPSS
Exploits0References2
Drupal
Drupal
•added 2024/05/29 12:0 a.m.•24 views

Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024

The Migrate queue importer module enables you to create cron migrationsconfiguration entities with a reference towards migration entities in order to import them during cron runs. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an...

8.8CVSS7AI score0.00193EPSS
Exploits0References7
Drupal
Drupal
•added 2024/03/06 12:0 a.m.•24 views

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

The Registration role module lets an administrator select a role or multiple roles to automatically assign to new users. The selected role or roles will be assigned to new registrants. The module has a logic error when handling sites that upgraded code and did not run the Drupal update process e....

8.8CVSS7.2AI score0.00355EPSS
Exploits0References8
Drupal
Drupal
•added 2024/02/14 12:0 a.m.•24 views

CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009

The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code. The vulnerability is mitigated by the fact it requires: full-pa...

6.1CVSS6.2AI score0.00706EPSS
Exploits0References12
Drupal
Drupal
•added 2023/11/08 12:0 a.m.•24 views

GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates create, update, delete through mutations. The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. I...

7AI score
Exploits0References8
Drupal
Drupal
•added 2020/04/08 12:0 a.m.•24 views

Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009

The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots. The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2020/03/18 12:0 a.m.•24 views

CKEditor 4 - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

The CKEditor module and its predecessor, FCKeditor module allows Drupal to replace textarea fields with CKEditor 3.x/4.x FCKeditor 2.x in case of FCKeditor module - a visual HTML editor, sometimes called WYSIWYG editor. Due to the usage of the JavaScript eval function on non-filtered data in admi...

6.1AI score
Exploits0References6
Drupal
Drupal
•added 2019/12/18 12:0 a.m.•24 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011

The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations...

6.8AI score
Exploits0References14
Drupal
Drupal
•added 2018/02/21 12:0 a.m.•24 views

CKEditor Upload Image - Critical - Access bypass - SA-CONTRIB-2018-014

This module enables you to drag and drop or paste images into CKEditor. The module does not sufficiently verify users permissions, which leads to anonymous users being able to upload files to the server...

6.8AI score
Exploits0References5
Drupal
Drupal
•added 2017/10/11 12:0 a.m.•24 views

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

The netFORUM Authentication module implements external authentication for users against netFORUM. The module does not correctly use flood control making it susceptible to brute force attacks...

6.9AI score
Exploits0References3
Drupal
Drupal
•added 2017/03/08 12:0 a.m.•24 views

PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030

This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process. The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account. In...

7.5AI score
Exploits0References12
Drupal
Drupal
•added 2016/10/12 12:0 a.m.•24 views

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-052

This module enables you to manage cron jobs. The module doesn't sufficiently sanitize the cron rules which are entered into "Predefined rules" field thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.6AI score
Exploits0References13
Drupal
Drupal
•added 2015/09/02 12:0 a.m.•24 views

Mass Contact - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-144

This module allows anyone with permission to send a single message to multiple users of a site, using the site's roles and/or taxonomy functionality. The module doesn't sufficiently sanitize the category labels when they are displayed. This vulnerability is mitigated by the fact that an attacker...

2.1CVSS6.3AI score0.00949EPSS
Exploits0References10
Drupal
Drupal
•added 2015/06/24 12:0 a.m.•24 views

HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module allows account creation through social login when the configuration is set to allow user registration by...

5CVSS6.1AI score0.02112EPSS
Exploits0References10
Drupal
Drupal
•added 2015/06/17 12:0 a.m.•24 views

Administration Views - Moderately Critical - Access Bypass - SA-CONTRIB-2015-122

This module replaces administrative overview/listing pages with Views for improved usability. When combined with other contributed or custom modules, the Administration Views module improperly grants users access to administration pages including the permissions page. This vulnerability is...

6CVSS6.3AI score0.00911EPSS
Exploits0References11
Drupal
Drupal
•added 2015/06/03 12:0 a.m.•24 views

Novalnet Payment Module Drupal Commerce - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-117

This module enables you add the Novalnet payment service provider to Drupal Commerce. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can...

7.5CVSS7.3AI score0.0196EPSS
Exploits0References8
Drupal
Drupal
•added 2015/04/01 12:0 a.m.•24 views

User Import - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-093

This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file comma separated file. Some management URLs were not properly protected. A malicious user could trick an administrator into continuing or deleting an ongoing import by getting them to...

6.8CVSS6.6AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
•added 2015/03/25 12:0 a.m.•24 views

Webform Multiple File Upload - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-083

Webform Multiple File Upload module enables you to upload multiple files at once in webforms. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with edit access to webforms to delete files by getting their browser to make a request to a...

6.8CVSS6.4AI score0.0074EPSS
Exploits0References9
Drupal
Drupal
•added 2015/03/11 12:0 a.m.•24 views

SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting (XSS)

Site Documentation module enables you to display detailed configuration information. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...

3.5CVSS6AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
•added 2015/03/04 12:0 a.m.•24 views

SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting (XSS)

This module enables you to add a block to allow visitors to subscribe to a site's newsletter. The module failed to sanitize some block content, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

3.5CVSS5.6AI score0.00965EPSS
Exploits0References11
Drupal
Drupal
•added 2015/02/25 12:0 a.m.•24 views

SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported

Spider Contacts module provides a user-friendly way to manage and display contacts. The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker mus...

6CVSS6.1AI score0.00986EPSS
Exploits0References8
Drupal
Drupal
•added 2015/01/14 12:0 a.m.•24 views

SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS)

This module enables you to merge synonymous taxonomy terms among themselves. The module doesn't sufficiently filter user input under certain conditions, thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to create...

3.5CVSS5.6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
•added 2015/01/07 12:0 a.m.•24 views

SA-CONTRIB-2015-001 - OPAC - Cross Site Request Forgery (CSRF)

OPAC module enables you to create mappings between node fields and ILS record fields. The module doesn't ask for confirmation when removing a mapping, leaving this operation vulnerable to cross-site request forgery CSRF attacks. CVE identifiers issued CVE-2015-3343 Versions affected OPAC 7.x-2.x...

6.8CVSS6.5AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
•added 2014/04/30 12:0 a.m.•24 views

SA-CONTRIB-2014-047 - Zen - Cross Site Scripting

The Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design. The theme does not properly sanitize theme settings before they are used in the output of a page. Themes that have copied code from Zen's template.php may suffer from this same issue. If you...

3.5CVSS5.8AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
•added 2014/03/05 12:0 a.m.•24 views

SA-CONTRIB-2014-029 - Mime Mail - Access Bypass

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. By default the module only allows files to be embedded or attached that are located in the public files directory. The module doesn't sufficiently check the file location, considering similar...

7.3AI score
Exploits0References11
Drupal
Drupal
•added 2013/11/06 12:0 a.m.•24 views

SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view access. CVE identifiers issued CVE-2013-4596...

5.8CVSS6.4AI score0.01218EPSS
Exploits0References9
Drupal
Drupal
•added 2013/10/30 12:0 a.m.•24 views

SA-CONTRIB-2013-085 - Feed Element Mapper - Cross Site Scripting

Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. The module doesn't sufficiently filter text when displaying options to users. This vulnerability is mitigated by the fact that an attacker must have a...

2.1CVSS6.4AI score0.00729EPSS
Exploits0References8
Drupal
Drupal
•added 2013/07/31 12:0 a.m.•24 views

SA-CONTRIB-2013-061 - Flippy - Access Bypass

This module enables you to generate previous/next links for content types. The module doesn't sufficiently enforce node access when generating previous/next links. A user may be presented with a link including alias if one is set but will not be able to view the node content. This vulnerability i...

6.5CVSS6.2AI score0.01451EPSS
Exploits0References10
Drupal
Drupal
•added 2013/04/17 12:0 a.m.•24 views

SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)

This module enables you to easily enable a Flash MP3 Player on a CCK FileField. The module doesn't sufficiently filter user-supplied text from mp3 filenames. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield wi...

2.1CVSS6.4AI score0.00931EPSS
Exploits0References8
Drupal
Drupal
•added 2013/02/27 12:0 a.m.•24 views

SA-CONTRIB-2013-028 - Responsive Blog Theme - Cross Site Scripting (XSS)

Responsive Blog Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.7AI score0.01064EPSS
Exploits0References10
Drupal
Drupal
•added 2013/02/20 12:0 a.m.•24 views

SA-CONTRIB-2013-023 - Varnish module - Cross Site Scripting (XSS)

This module provides integration between your Drupal site and the Varnish HTTP Accelerator, an advanced and very fast reverse-proxy system. The module doesn't sufficiently filter user-supplied text provided in the configuration settings. This vulnerability is mitigated by the fact that an attacke...

4.3CVSS6.2AI score0.01284EPSS
Exploits0References13
Drupal
Drupal
•added 2012/11/14 12:0 a.m.•24 views

SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross Site Scripting (XSS)

These modules enable you to substitutes text emoticons, like :-, with images. These modules don't sufficiently sanitize user defined smiley acronyms before displaying smiley images. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

4.8CVSS5.1AI score0.00963EPSS
Exploits0References10
Drupal
Drupal
•added 2012/11/14 12:0 a.m.•24 views

SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request forgery (CSRF)

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

6.8CVSS6.2AI score0.00643EPSS
Exploits0References8
Drupal
Drupal
•added 2012/10/31 12:0 a.m.•24 views

SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords

This module provides a way to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a password policy. The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X...

5CVSS6.3AI score0.01369EPSS
Exploits0References11
Drupal
Drupal
•added 2012/09/19 12:0 a.m.•24 views

SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution

The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent. The module allows a user with the 'send scheduled newsletters'...

6CVSS6.5AI score0.01055EPSS
Exploits0References9
Total number of security vulnerabilities1940