Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2012/11/14 12:0 a.m.24 views

SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request forgery (CSRF)

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

6.8CVSS6.2AI score0.00643EPSS
Exploits0References8
Drupal
Drupal
added 2012/10/31 12:0 a.m.24 views

SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords

This module provides a way to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a password policy. The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X...

5CVSS6.3AI score0.01369EPSS
Exploits0References11
Drupal
Drupal
added 2012/09/19 12:0 a.m.24 views

SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution

The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent. The module allows a user with the 'send scheduled newsletters'...

6CVSS6.5AI score0.01055EPSS
Exploits0References9
Drupal
Drupal
added 2012/08/29 12:0 a.m.24 views

SA-CONTRIB-2012-136 - Apache Solr Search Autocomplete - Cross Site Scripting (XSS)

Apache Solr Search Autocomplete module enables you to add autocomplete capabilities to the search text field for the Apache Solr Search Integration module. The module doesn't sufficiently filter the autocomplete results sent back from the Drupal site, so under the scenario where someone provided ...

4.3CVSS6.9AI score0.02062EPSS
Exploits0References9
Drupal
Drupal
added 2012/06/20 12:0 a.m.24 views

SA-CONTRIB-2012-104 - Privatemsg - Cross Site Scripting (XSS)

The Privatemsg module allows users to send private messages between to each other. The module doesn't sufficiently sanitize user names when creating messages. This vulnerability is mitigated by the fact that it is not possible to create insecure user names through the default user interface. The...

4.3CVSS6.3AI score0.01161EPSS
Exploits0References11
Drupal
Drupal
added 2012/06/13 12:0 a.m.24 views

SA-CONTRIB-2012-102 - Ubercart AJAX Cart - Potential Disclosure of user Session ID

This module enables you to replace the default Ubercart shopping cart block with an AJAX-enabled one. The module includes the user's current session ID in one of its JavaScript settings keys on every page load which could be intercepted if the user's connection is not over SSL. This vulnerability...

2.6CVSS6AI score0.02168EPSS
Exploits1References11
Drupal
Drupal
added 2012/04/04 12:0 a.m.24 views

SA-CONTRIB-2012-056 - Janrain Engage - Sensitive Data Protection Vulnerability

CVE: CVE-2012-2296 Using Janrain Engage, Drupal sites can authenticate new and existing users with popular social networks, map user profile data from these websites to Drupal fields, and share Drupal content with a user's friends on their social networks. The module permanently retains the...

5CVSS5.8AI score0.01563EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/28 12:0 a.m.24 views

SA-CONTRIB-2012-054 - Chaos tool suite - Cross Site Scripting (XSS)

CVE: CVE-2012-2082 This suite is primarily a set of APIs and tools to improve the developer experience. It also contains a module called the Page Manager whose job is to manage pages. In particular it manages panel pages, but as it grows it will be able to manage far more than just Panels. The...

2.1CVSS6.2AI score0.01607EPSS
Exploits0References11
Drupal
Drupal
added 2012/01/18 12:0 a.m.24 views

SA-CONTRIB-2012-012 - Quicktabs - Cross Site Scripting (XSS)

CVE: CVE-2012-1637 The Quick Tabs module allows users to create blocks of tabbed content, specifying a title for the block and the individual tabs. Quick Tabs does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability. This vulnerability is mitigate...

4.8CVSS5AI score0.00528EPSS
Exploits0References13
Drupal
Drupal
added 2007/07/26 12:0 a.m.24 views

Drupal core - Cross site request forgeries

Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit...

6.7AI score
Exploits0References4
Drupal
Drupal
added 2026/04/22 12:0 a.m.23 views

Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033

This module enables you to obfuscate email addresses in content. The module doesn't sufficiently sanitize user input via the Twig filter. This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using...

6.1CVSS5.8AI score0.00196EPSS
Exploits0References2
Drupal
Drupal
added 2026/03/04 12:0 a.m.23 views

File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020

This module moves files to and from private storage depending on the access of its owning entities. The module does not sufficiently incorporate the results of hookfiledownload when a custom or contrib module implements that hook leading to access bypass...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/21 12:0 a.m.23 views

Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066

This module enables you to pay for Commerce order to an environment provided and secured by the bank The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed...

8.8CVSS6.7AI score0.00271EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/14 12:0 a.m.23 views

Single Content Sync - Moderately critical - Access bypass - SA-CONTRIB-2025-060

This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly. While the export feature rightfully bypasses...

3.1CVSS6.6AI score0.00186EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/07 12:0 a.m.23 views

Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability ...

6.1CVSS5.8AI score0.00195EPSS
Exploits0References1
Drupal
Drupal
added 2024/12/04 12:0 a.m.23 views

OAuth Client & OpenID Connect SSO | OAuth/OIDC Login - Critical - Cross Site Scripting - SA-CONTRIB-2024-067

This module enables you to authenticate users through an Identity Provider IdP or OAuth Server, allowing them to log in to your Drupal site. The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is...

6.1CVSS6.9AI score0.00242EPSS
Exploits0References9
Drupal
Drupal
added 2024/08/07 12:0 a.m.23 views

Opigno module - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-028

The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training. In the opignomodule module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution RCE and/or Cross Site...

9.8CVSS7.4AI score0.00452EPSS
Exploits0References9
Drupal
Drupal
added 2024/02/28 12:0 a.m.23 views

Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012

This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission. The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fa...

5.5CVSS6.9AI score0.00186EPSS
Exploits0References6
Drupal
Drupal
added 2024/01/10 12:0 a.m.23 views

Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter. The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting XSS vulnerability. This vulnerability is mitigate...

5.4CVSS6.2AI score0.00218EPSS
Exploits0References6
Drupal
Drupal
added 2023/11/29 12:0 a.m.23 views

Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053

The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of...

7AI score
Exploits0References8
Drupal
Drupal
added 2023/05/31 12:0 a.m.23 views

AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018

This module provides social media share & follow buttons. The module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block. This vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2022/09/07 12:0 a.m.23 views

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055

This module enables you to restrict content via taxonomy terms and related permissions. The module doesn't sufficiently restrict cached content in certain circumstances. This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module...

6.7AI score
Exploits0References13
Drupal
Drupal
added 2017/01/04 12:0 a.m.23 views

Doubleclick for Publishers (DFP) - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-002

This module enables you to to place advertisements on your site that are served by Google's DFP Doubleclick for Publisher service. The module has multiple Cross Site Scripting XSS vulnerabilities due to not sufficiently escaped fields. The "administer DFP" permission is not marked as restricted...

6.3AI score
Exploits0References13
Drupal
Drupal
added 2015/11/11 12:0 a.m.23 views

MAYO theme - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-164

MAYO theme enables you to change certain theme settings via the administration interface. Some theme settings aren't sufficiently sanitized. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers issued CVE-2015-8233...

2.6CVSS6.4AI score0.01316EPSS
Exploits0References10
Drupal
Drupal
added 2015/04/08 12:0 a.m.23 views

CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094

CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause...

6.8CVSS6.3AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/25 12:0 a.m.23 views

Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085

Invoice module allows you to create invoices in Drupal. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create,...

6.8CVSS5.3AI score0.00966EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/04 12:0 a.m.23 views

SA-CONTRIB-2015-067 - Finder - Open Redirect

Finder module allows you to create flexible faceted search forms to find entities such as nodes or users based on the values of fields and database attributes. The provided function finderformgoto is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the...

5.8CVSS6.3AI score0.01191EPSS
Exploits0References12
Drupal
Drupal
added 2015/03/04 12:0 a.m.23 views

SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)

Webform enables you to create surveys, personalized contact forms, contests, and the like. Cross Site Scripting Related to Webform Submissions The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch onl...

3.5CVSS5.8AI score0.01091EPSS
Exploits0References12
Drupal
Drupal
added 2015/02/11 12:0 a.m.23 views

SA-CONTRIB-2015-043 - Commerce Balanced Payments - Multiple vulnerabilities

Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service. The module doesn't sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability. Also, some URLs were not protected...

5.8CVSS5.9AI score0.00954EPSS
Exploits0References8
Drupal
Drupal
added 2015/01/21 12:0 a.m.23 views

SA-CONTRIB-2015-029 - Corner - Cross Site Request Forgery (CSRF) - Unsupported

This module enables you to add configurable corners to your site. A malicious user can cause an administrator to enable and disable corners by getting the administrator's browser to make a request to a specially-crafted URL while the administrator is logged in. CVE identifiers issued CVE-2015-337...

5.8CVSS6.3AI score0.00649EPSS
Exploits0References8
Drupal
Drupal
added 2015/01/21 12:0 a.m.23 views

SA-CONTRIB-2015-026 - Taxonews - Cross Site Scripting (XSS)

This module enables you to create blocks of nodes carrying a given taxonomy term. The module doesn't sufficiently escape term names in the blocks it builds leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

3.5CVSS5.5AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/14 12:0 a.m.23 views

SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect

This module enables users to change the currency of Ubercart products. When switching the currency, the user is redirected to a page specified in the destination query parameter. The module was not checking that the passed argument was an internal URL, thereby leading to an open redirect...

5.8CVSS6.3AI score0.01204EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/07 12:0 a.m.23 views

SA-CONTRIB-2015-008 - Batch Jobs - Cross Site Request Forgery (CSRF)

The Batch Jobs project is a scalable way to execute a list of tasks. Links that take actions on batch jobs are not protected from Cross Site Request Forgery CSRF. A malicious individual could cause a user that has permission to access a particular batch job or an administrator to delete the recor...

6.8CVSS6.9AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/07 12:0 a.m.23 views

SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)

Course module enables you to create e-learning courses with any number of requirements for completion. The module doesn't sufficiently filter node title displays when being used in a course. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to creat...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References11
Drupal
Drupal
added 2014/06/18 12:0 a.m.23 views

SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)

The module allows you to define and manage custom meta tags. The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page. This vulnerability is mitigated by the fact that an attacker must have access to an accoun...

2.1CVSS6.4AI score0.00941EPSS
Exploits0References12
Drupal
Drupal
added 2014/04/02 12:0 a.m.23 views

SA-CONTRIB-2014-034 - Custom Search - Cross Site Scripting

The Custom Search module alters the default search box to provide additional search filtering options and control. Custom Search contains a persistent cross-site scripting XSS vulnerability due to the fact that it fails to sanitize filter labels before display. This vulnerability is mitigated by...

3.5CVSS5.5AI score0.00946EPSS
Exploits0References13
Drupal
Drupal
added 2014/02/26 12:0 a.m.23 views

SA-CONTRIB-2014-023 - Project Issue File Review - XSS

The Project Issue File Review PIFR module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development. Two scenarios were identified where the module does not sufficiently sanitize...

4.3CVSS6.3AI score0.01161EPSS
Exploits0References11
Drupal
Drupal
added 2013/10/30 12:0 a.m.23 views

SA-CONTRIB-2013-084 - FileField Sources - Access Bypass

This module expands on the FileField module by allowing you to select new or existing files through additional means, such as re-using files with an auto-complete textfield, attaching server-side files uploaded via FTP, transferring file files from a remote server, pasting a file directly from th...

4CVSS6.4AI score0.01094EPSS
Exploits0References10
Drupal
Drupal
added 2013/10/02 12:0 a.m.23 views

SA-CONTRIB-2013-078 - Quick Tabs - Access Bypass

The Quick Tabs module allows you to create blocks of tabbed content, specifically views, blocks, nodes and other quicktabs. You can create a block on your site containing multiple tabs with corresponding content. The module does not sufficiently check block permissions before rendering a Quick Ta...

5CVSS6.2AI score0.01513EPSS
Exploits0References13
Drupal
Drupal
added 2013/03/27 12:0 a.m.23 views

SA-CONTRIB-2013-039 - Commons Wikis - Access bypass & Privilege escalation

The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Wikis module is used by the distribution to provide specific wiki functionality. Versions 3.0 and earlier of the Commons Wikis module is vulnerable to an access bypass and privilege...

5CVSS6.7AI score0.02558EPSS
Exploits0References13
Drupal
Drupal
added 2013/03/20 12:0 a.m.23 views

SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module incorrectly prints some view configuration fields without proper sanitization opening a Cross-Site Scripting...

2.1CVSS5.8AI score0.02046EPSS
Exploits0References12
Drupal
Drupal
added 2013/02/27 12:0 a.m.23 views

SA-CONTRIB-2013-032 - Company theme - Cross Site Scripting (XSS)

This third-party contributed theme changes Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/13 12:0 a.m.23 views

SA-CONTRIB-2013-015 - Manager Change for Organic Groups - Cross site scripting (XSS)

This module extends Organic Groups to allow the manager of a group to select a new manager for their group ie if they want to leave the group. The autocomplete field for selecting a new manager didn't properly filter usernames. The vulnerability is mitigated by the fact that Drupal's default...

4.3CVSS5.9AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2012/12/19 12:0 a.m.23 views

SA-CONTRIB-2012-174 - Context - Information Disclosure

Context has functionality that renders block content for use with its inline editor. When these requests are made the context module does not sufficiently ensure that users have access to the block. A malicious user could send a specially crafted request and get access to block content they shoul...

5CVSS5.8AI score0.01663EPSS
Exploits1References10
Drupal
Drupal
added 2012/11/07 12:0 a.m.23 views

SA-CONTRIB-2012-160 - OM Maximenu - Cross Site Scripting (XSS)

This module enables you to create custom menus with effects and integrate module blocks as it's menu item content. The module doesn't sufficiently state the risk of giving permission to create OM Maximenus. This vulnerability is mitigated by the fact that an attacker must have a role with the...

2.1CVSS6.1AI score0.00941EPSS
Exploits0References12
Drupal
Drupal
added 2012/10/24 12:0 a.m.23 views

SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS)

This module provides integration with the MailChimp email delivery service. There are two issues with the webhook processing, which is exposed as an API in mailchimp.module and used by mailchimplists.module to update subscriber information. The webhook URL key can be trivially calculated. Webhook...

4.3CVSS6.4AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2012/08/15 12:0 a.m.23 views

SA-CONTRIB-2012-126 - Hotblocks - Cross Site Scripting (XSS) and Denial of Service (DoS)

The Hotblocks module provides an enhanced GUI for administering blocks and block content that is intended to be simpler and more controllable for less privileged users than the default block administration tools. Cross Site Scripting XSS The module doesn't sufficiently sanitize the user input for...

5.4AI score
Exploits0References9
Drupal
Drupal
added 2012/06/13 12:0 a.m.23 views

SA-CONTRIB-2012-101 - Protected Node - Access Bypass

The Protected Node module enables users to use a password to restrict access to an individual node or all nodes of a node type. The module doesn't sufficiently protect node access when nodes are accessed outside of the standard node view i.e. node/1 is protected but other lists are not. CVE:...

7.5CVSS6.5AI score0.02641EPSS
Exploits0References10
Drupal
Drupal
added 2012/06/06 12:0 a.m.23 views

SA-CONTRIB-2012-091 - Token Authentication - Access bypass

The Token Authentication module provides a token for use in the URL to authenticate users to a site. Under certain uncommon situations, the module may not revert a user's session properly. Depending on how tokenauth is used, this could result in subsequent requests being performed as a user with...

5CVSS6.4AI score0.02422EPSS
Exploits0References9
Drupal
Drupal
added 2012/05/30 12:0 a.m.23 views

SA-CONTRIB-2012-087 - Comment Moderation - Cross Site Request Forgery

This module enables you to moderate comments in an accelerated way, by providing a complete interface and all useful actions in a unique page. The module doesn't sufficiently protect the publish link URL, thus a Cross Site Request Forgery CSRF attack against an administrator could result in...

6.8CVSS6.5AI score0.00779EPSS
Exploits1References11
Total number of security vulnerabilities1940