REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018

The Rest views module lets site admins create rest exports in views with additional options for serializing data. This module does not accurately check access and may expose paths to unpublished content. This vulnerability is mitigated by the fact that there must be a specific content structure t...

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

The Registration role module lets an administrator select a role or multiple roles to automatically assign to new users. The selected role or roles will be assigned to new registrants. The module has a logic error when handling sites that upgraded code and did not run the Drupal update process e....

Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012

This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission. The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fa...

Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter. The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting XSS vulnerability. This vulnerability is mitigate...

Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055

This module allows you to turn various data sources Eg CSV or JSON file into interactive visualisation. The DVF module provides a field storage, widget & formatter that can be added to any entity. This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the...

Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053

This module enables you to accept payments from the Elavon payment provider. The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon On-site payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment...

Opigno Learning path - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-018

This project is related to Opigno LMS distribution. It implements the learning path, that combines together in a very flexible way the differents steps of a training in Opigno LMS. The module does not set X-Frame-Options and blocks ability of other modules e.g Security Kit to add them, leaving it...

Aegir HTTPS - Moderately critical - Access bypass - SA-CONTRIB-2019-003

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform. This module...

TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044

The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms. The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This...

Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration. This...

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-052

This module enables you to manage cron jobs. The module doesn't sufficiently sanitize the cron rules which are entered into "Predefined rules" field thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module allows account creation through social login when the configuration is set to allow user registration by...

Administration Views - Moderately Critical - Access Bypass - SA-CONTRIB-2015-122

This module replaces administrative overview/listing pages with Views for improved usability. When combined with other contributed or custom modules, the Administration Views module improperly grants users access to administration pages including the permissions page. This vulnerability is...

Shipwire - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111

The Shipwire API module handles communication with the Shipwire shipping service. The Shipwire module doesn't check view permission for the shipments overview page when installed admin/shipwire/shipments. Limited non-public information is displayed on the page. CVE identifiers issued CVE-2015-549...

Camtasia Relay - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100

This module enables you to integrate your Drupal site with TechSmith Relay software. The module doesn't sufficiently sanitize user input under the meta access tab. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view meta information". CVE...

CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094

CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause...

User Import - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-093

This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file comma separated file. Some management URLs were not properly protected. A malicious user could trick an administrator into continuing or deleting an ongoing import by getting them to...

Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085

Invoice module allows you to create invoices in Drupal. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create,...

SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported

Spider Contacts module provides a user-friendly way to manage and display contacts. The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker mus...

SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution

Avatar Uploader module provides an alternative way to upload user pictures. The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This...

SA-CONTRIB-2015-024 - Alfresco - Cross Site Request Forgery (CSRF)

The Alfresco module provides integration between Drupal and Alfresco via Content Management Web Services SOAP and Repository RESTful API. The Alfresco Browser submodule provides an AJAX-based repository browser that allows users to visualize, upload, search and retrieve nodes from the Alfresco...

SA-CONTRIB-2015-029 - Corner - Cross Site Request Forgery (CSRF) - Unsupported

This module enables you to add configurable corners to your site. A malicious user can cause an administrator to enable and disable corners by getting the administrator's browser to make a request to a specially-crafted URL while the administrator is logged in. CVE identifiers issued CVE-2015-337...

SA-CONTRIB-2015-020 - Contact Form Fields - Cross Site Request Forgery (CSRF)

The Contact Form Fields module enables you to create additional fields to site-wide contact form. Some links were not properly protected from CSRF. A malicious user could cause an administrator to delete fields by getting the administrator's browser to make a request to a specially-crafted URL...

SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect

This module enables users to change the currency of Ubercart products. When switching the currency, the user is redirected to a page specified in the destination query parameter. The module was not checking that the passed argument was an internal URL, thereby leading to an open redirect...

SA-CONTRIB-2015-022 - nodeauthor - Cross Site Scripting (XSS) - Unsupported

This module displays node author information in a jQuery slider. The module doesn't sufficiently sanitize Profile2 fields in a provided block. This vulnerability is mitigated by the fact that an attacker must have a user account allowed to edit profile fields. CVE identifiers issued CVE-2015-3365...

SA-CONTRIB-2015-012 - Jammer - Cross Site Request Forgery (CSRF)

This module enables you to hide or remove items from displaying including the node and comment preview buttons, node delete button, revision log textarea, workflow form on the workflow tab, and feed icon. The report administration links are not properly protected from CSRF. A malicious user could...

SA-CONTRIB-2015-001 - OPAC - Cross Site Request Forgery (CSRF)

OPAC module enables you to create mappings between node fields and ILS record fields. The module doesn't ask for confirmation when removing a mapping, leaving this operation vulnerable to cross-site request forgery CSRF attacks. CVE identifiers issued CVE-2015-3343 Versions affected OPAC 7.x-2.x...

SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

This project allows you to create various types of tournaments as nodes and associated teams, tournaments, and matches. There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user. It is possible t...

SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass

This module provides functionality for AJAX based auto-completion of fields in the Biblio node type provided by the Biblio module using previously entered values and third party services. The submodule "Biblio self autocomplete" for previously entered values doesn't sufficiently sanitize user inp...

SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass

The freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as pluginname:identifier. The module doesn't sufficiently check access to content when displaying links to nodes...

SA-CONTRIB-2014-034 - Custom Search - Cross Site Scripting

The Custom Search module alters the default search box to provide additional search filtering options and control. Custom Search contains a persistent cross-site scripting XSS vulnerability due to the fact that it fails to sanitize filter labels before display. This vulnerability is mitigated by...

SA-CONTRIB-2014-023 - Project Issue File Review - XSS

The Project Issue File Review PIFR module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development. Two scenarios were identified where the module does not sufficiently sanitize...

SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS)

This module enables you to display notifications so that visitors can give their consent to setting cookies by your website. The module doesn't sufficiently fiter and validate configuration values entered by administrators. This vulnerability is mitigated by the fact that an attacker must have a...

SA-CONTRIB-2013-091 - Groups, Communities and Co (GCC) - Access Bypass

This module enables you to manage groups and assign content and users to groups. The module doesn't sufficiently check permissions to some of the configuration pages allowing unprivileged users to access the roles and permissions pages of the GCC module. CVE identifiers issued CVE-2013-4598...

SA-CONTRIB-2013-084 - FileField Sources - Access Bypass

This module expands on the FileField module by allowing you to select new or existing files through additional means, such as re-using files with an auto-complete textfield, attaching server-side files uploaded via FTP, transferring file files from a remote server, pasting a file directly from th...

SA-CONTRIB-2013-078 - Quick Tabs - Access Bypass

The Quick Tabs module allows you to create blocks of tabbed content, specifically views, blocks, nodes and other quicktabs. You can create a block on your site containing multiple tabs with corresponding content. The module does not sufficiently check block permissions before rendering a Quick Ta...

SA-CONTRIB-2013-045 - Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) - Access bypass

Autocomplete Widgets module adds autocomplete widgets for Text and Number fields. The autocomplete callback implemented by this module does not honor node permissions to access existing fields, allowing users to see field values even though they are not authorized to access that information. This...

SA-CONTRIB-2013-032 - Company theme - Cross Site Scripting (XSS)

This third-party contributed theme changes Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

SA-CONTRIB-2012-174 - Context - Information Disclosure

Context has functionality that renders block content for use with its inline editor. When these requests are made the context module does not sufficiently ensure that users have access to the block. A malicious user could send a specially crafted request and get access to block content they shoul...

SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords

This module provides a way to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a password policy. The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X...

SA-CONTRIB-2012-104 - Privatemsg - Cross Site Scripting (XSS)

The Privatemsg module allows users to send private messages between to each other. The module doesn't sufficiently sanitize user names when creating messages. This vulnerability is mitigated by the fact that it is not possible to create insecure user names through the default user interface. The...

SA-CONTRIB-2012-101 - Protected Node - Access Bypass

The Protected Node module enables users to use a password to restrict access to an individual node or all nodes of a node type. The module doesn't sufficiently protect node access when nodes are accessed outside of the standard node view i.e. node/1 is protected but other lists are not. CVE:...

SA-CONTRIB-2012-087 - Comment Moderation - Cross Site Request Forgery

This module enables you to moderate comments in an accelerated way, by providing a complete interface and all useful actions in a unique page. The module doesn't sufficiently protect the publish link URL, thus a Cross Site Request Forgery CSRF attack against an administrator could result in...

SA-CONTRIB-2012-074 - Contact Forms - Access Bypass

CVE: CVE-2012-2340 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form without a drop down menu with a unique path for each of the contact form categories. The module allowed users to edit the Contact...

SA-CONTRIB-2012-067 - Linkit - Access bypass

CVE: CVE-2012-2304 Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field. When searching for entities, no access restrictions were added and users may s...

SA-CONTRIB-2012-060 - Commerce Reorder - Cross Site Request Forgery

CVE: CVE-2012-2116 The Commerce Reorder module enables you to reorder previously purchased products for Drupal Commerce. The module does not sufficiently protect the re-order URL against Cross Site Request Forgery CSRF, allowing a malicious user to trick someone into adding unwanted items to thei...

SA-CONTRIB-2012-044 - Contact Forms - Cross Site Scripting

CVE: CVE-2012-2071 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form with a unique path, for each of the contact form categories. The module doesn't sufficiently filter user text of the page title a...

SA-CONTRIB-2012-026 - ZipCart - Access bypass

CVE: CVE-2012-1650 ZipCart enables a site to provide users with Zip archives for downloads selected by the user. Versions of ZipCart prior to 6.x-1.4 checks an incorrect permission when building archives. This vulnerability is mitigated by the fact that archive file addition is only permitted if...

SA-CONTRIB-2011-026 - Secure Password Hashes (phpass) - Multiple Vulnerabilities

This module uses the PHPass hashing library to try to store users hashed passwords securely. The module sets a fixed string for the 'pass' column in the users database column but does not replace the pass attribute of the account object used for password reset links. This leads to a vulnerability...

SA-CONTRIB-2010-005 - Own Term - Cross site scripting

The Own Term module allows users to create taxonomy terms in a designated vocabulary and when creating content this term is automatically added to the node. The module does not sanitize the term description on a term listing page which opens a cross-site scripting XSS attack. Users with a role...