SA-CONTRIB-2015-039 - Views - Multiple vulnerabilities

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Open redirect vulnerability The module does not sanitize user provided URLs when processing the page to break the lock on Views bei...

SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass

This module enables you to configure breadcrumbs for any Drupal page. The module doesn't check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user. This vulnerability is mitigated by the fact that it is possible to configure proper access...

SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS)

This module enables you to merge synonymous taxonomy terms among themselves. The module doesn't sufficiently filter user input under certain conditions, thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to create...

SA-CONTRIB-2015-021 - Content Analysis - Cross Site Scripting (XSS)

The Content Analysis module is an API designed to help modules that need to analyze content. The module fails to sanitize user input in log messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that only sites with dblog module enabled are...

SA-CONTRIB-2014-044 - Professional Theme - Cross Site Scripting (XSS)

Professional Theme is a modern and professional Drupal theme. The theme does not sufficiently sanitize theme settings input for custom copyright information This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers issue...

SA-CONTRIB-2013-095 - Organic Groups - Access bypass

Two issues exist within entity references and permissions relating to OG, allowing users potential access bypass. Posting content into groups where a user is not a member Organic Groups does not sufficiently check the group audience fields e.g. oggroupref field from being populated with invalid...

SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view access. CVE identifiers issued CVE-2013-4596...

SA-CONTRIB-2013-085 - Feed Element Mapper - Cross Site Scripting

Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. The module doesn't sufficiently filter text when displaying options to users. This vulnerability is mitigated by the fact that an attacker must have a...

SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities

Monster Menus enables you to create granular page permissions, and apply them to a hierarchical page structure. The mmwebform submodule enables you to assign permissions derived from Monster Menus to webform forms. The module doesn't sufficiently filter titles entered into page settings and echoe...

SA-CONTRIB-2013-061 - Flippy - Access Bypass

This module enables you to generate previous/next links for content types. The module doesn't sufficiently enforce node access when generating previous/next links. A user may be presented with a link including alias if one is set but will not be able to view the node content. This vulnerability i...

SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module interferes with Drupal's page cache and allows an attacker to poison the cache with non-HTML page responses, thereby exposing ...

SA-CONTRIB-2013-005 - Mark Complete Module - Cross Site Request Forgery (CSRF)

This module enables you to update a date field on a node via an AJAX link on the node view page. The module doesn't sufficiently guard against Cross Site Request Forgery CSRF. CVE identifiers issued CVE-2013-0207 Versions affected Mark Complete 7.x-1.x versions prior to 7.x-1.1. Drupal core is no...

SA-CONTRIB-2012-054 - Chaos tool suite - Cross Site Scripting (XSS)

CVE: CVE-2012-2082 This suite is primarily a set of APIs and tools to improve the developer experience. It also contains a module called the Page Manager whose job is to manage pages. In particular it manages panel pages, but as it grows it will be able to manage far more than just Panels. The...

DRUPAL-SA-2006-026 - Drupal core - Form action attribute injection

A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible...

SA-2006-007 - Drupal Core - Revision to DRUPAL-SA-2006-006

Recently, the Drupal security team was informed of a potential exploit that would allow untrusted code to be executed upon a successful request by a malicious user. If a dynamic script with multiple extensions such as file.php.pps or file.sh.txt is uploaded and then accessed from a web browser...

Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086

This module enables you to use configpages as a content entity. The module doesn't check permission or entity access before rendering configpages content...

Single Content Sync - Moderately critical - Access bypass - SA-CONTRIB-2025-060

This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly. While the export feature rightfully bypasses...

Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability ...

UEditor - 百度编辑器 - Critical - Unsupported - SA-CONTRIB-2025-044

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021

The AI Automators module a submodule of AI enables you to create different automated tasks that fills out field data using LLM outputs. The module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrar...

Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024

The Migrate queue importer module enables you to create cron migrationsconfiguration entities with a reference towards migration entities in order to import them during cron runs. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an...

Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled. This vulnerability is mitigated by the fact that a...

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055

This module enables you to restrict content via taxonomy terms and related permissions. The module doesn't sufficiently restrict cached content in certain circumstances. This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module...

MAYO theme - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-164

MAYO theme enables you to change certain theme settings via the administration interface. Some theme settings aren't sufficiently sanitized. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers issued CVE-2015-8233...

SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)

Webform enables you to create surveys, personalized contact forms, contests, and the like. Cross Site Scripting Related to Webform Submissions The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch onl...

SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)

Course module enables you to create e-learning courses with any number of requirements for completion. The module doesn't sufficiently filter node title displays when being used in a course. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to creat...

SA-CONTRIB-2014-074 - Storage API - Code execution prevention

Storage API is a low-level framework for managed file storage and serving. The module creates an .htaccess file in the files directory to prevent code execution, but copied the Drupal core file and wasn't updated to include the improved file contents after SA-CORE-2013-003. This vulnerability is...

SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)

The module allows you to define and manage custom meta tags. The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page. This vulnerability is mitigated by the fact that an attacker must have access to an accoun...

SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)

This module enables you to easily enable a Flash MP3 Player on a CCK FileField. The module doesn't sufficiently filter user-supplied text from mp3 filenames. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield wi...

SA-CONTRIB-2013-039 - Commons Wikis - Access bypass & Privilege escalation

The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Wikis module is used by the distribution to provide specific wiki functionality. Versions 3.0 and earlier of the Commons Wikis module is vulnerable to an access bypass and privilege...

SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module incorrectly prints some view configuration fields without proper sanitization opening a Cross-Site Scripting...

SA-CONTRIB-2013-026 - Best Responsive Theme - Cross Site Scripting (XSS)

Best Responsive theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

SA-CONTRIB-2013-023 - Varnish module - Cross Site Scripting (XSS)

This module provides integration between your Drupal site and the Varnish HTTP Accelerator, an advanced and very fast reverse-proxy system. The module doesn't sufficiently filter user-supplied text provided in the configuration settings. This vulnerability is mitigated by the fact that an attacke...

SA-CONTRIB-2012-170 - MultiLink - Access Bypass

MultiLink allows you to generate in-content links to a suitable node or node translation based on the visitor's language preferences. It allows the Node Title of the target node to be shown as the visible text and title attribute for the generated link. Prior to versions 6.x-2.7 and 7.x-2.7 the...

SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request forgery (CSRF)

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross Site Scripting (XSS)

These modules enable you to substitutes text emoticons, like :-, with images. These modules don't sufficiently sanitize user defined smiley acronyms before displaying smiley images. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS)

This module provides integration with the MailChimp email delivery service. There are two issues with the webhook processing, which is exposed as an API in mailchimp.module and used by mailchimplists.module to update subscriber information. The webhook URL key can be trivially calculated. Webhook...

SA-CONTRIB-2012-136 - Apache Solr Search Autocomplete - Cross Site Scripting (XSS)

Apache Solr Search Autocomplete module enables you to add autocomplete capabilities to the search text field for the Apache Solr Search Integration module. The module doesn't sufficiently filter the autocomplete results sent back from the Drupal site, so under the scenario where someone provided ...

SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)

CVE: CVE-2012-2705. The function filtertitles incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue. Versions affected...

SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported

CVE: CVE-2012-2309 This module generates internal node to node, node to taxonomy or node to external URL links crosslinks automatically - ideal for SEO of your site's pages and partner pages. This module does not protect against an Cross Site Scripting XSS attack. The vulnerability is mitigated b...

SA-CONTRIB-2012-056 - Janrain Engage - Sensitive Data Protection Vulnerability

CVE: CVE-2012-2296 Using Janrain Engage, Drupal sites can authenticate new and existing users with popular social networks, map user profile data from these websites to Drupal fields, and share Drupal content with a user's friends on their social networks. The module permanently retains the...

SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities

The XSS issue is: CVE: CVE-2012-2078 The CSRF issue is: CVE: CVE-2012-2079 The Activity module keeps track of the things people do on your site and provides mini-feeds of these activities in blocks, in a specialized table, and via RSS. The module is extensible so that any other module can integra...

SA-CONTRIB-2012-012 - Quicktabs - Cross Site Scripting (XSS)

CVE: CVE-2012-1637 The Quick Tabs module allows users to create blocks of tabbed content, specifying a title for the block and the individual tabs. Quick Tabs does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability. This vulnerability is mitigate...

SA-CONTRIB-2012-003 - Fill PDF - Multiple vulnerabilities

CVE: CVE-2012-1625 This module enables you to populate fillable PDF templates with data from nodes and webforms. Access bypass 7.x only Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger any PDF to...

Drupal core - Cross site request forgeries

Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit...

Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090

This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format. The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover,...

File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089

The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views. The File Download module...

Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087

This module provides a format filter, which allows you to "disable" iframes e.g. remove their src attribute specified by the user. These elements will be enabled again, once the Cookies banner is accepted. The module doesn't sufficiently filter user-supplied content when their value might contain...

REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018

The Rest views module lets site admins create rest exports in views with additional options for serializing data. This module does not accurately check access and may expose paths to unpublished content. This vulnerability is mitigated by the fact that there must be a specific content structure t...

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

The Registration role module lets an administrator select a role or multiple roles to automatically assign to new users. The selected role or roles will be assigned to new registrants. The module has a logic error when handling sites that upgraded code and did not run the Drupal update process e....