1940 matches found
SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross Site Scripting (XSS)
These modules enable you to substitutes text emoticons, like :-, with images. These modules don't sufficiently sanitize user defined smiley acronyms before displaying smiley images. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...
SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request forgery (CSRF)
This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...
SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords
This module provides a way to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a password policy. The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X...
SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution
The Simplenews Scheduler module provides a system for creating automatic email newsletters. These can be set to be sent at a fixed interval, or PHP code can be entered to evaluate a condition for a new newsletter issue to be sent. The module allows a user with the 'send scheduled newsletters'...
SA-CONTRIB-2012-136 - Apache Solr Search Autocomplete - Cross Site Scripting (XSS)
Apache Solr Search Autocomplete module enables you to add autocomplete capabilities to the search text field for the Apache Solr Search Integration module. The module doesn't sufficiently filter the autocomplete results sent back from the Drupal site, so under the scenario where someone provided ...
SA-CONTRIB-2012-104 - Privatemsg - Cross Site Scripting (XSS)
The Privatemsg module allows users to send private messages between to each other. The module doesn't sufficiently sanitize user names when creating messages. This vulnerability is mitigated by the fact that it is not possible to create insecure user names through the default user interface. The...
SA-CONTRIB-2012-102 - Ubercart AJAX Cart - Potential Disclosure of user Session ID
This module enables you to replace the default Ubercart shopping cart block with an AJAX-enabled one. The module includes the user's current session ID in one of its JavaScript settings keys on every page load which could be intercepted if the user's connection is not over SSL. This vulnerability...
SA-CONTRIB-2012-056 - Janrain Engage - Sensitive Data Protection Vulnerability
CVE: CVE-2012-2296 Using Janrain Engage, Drupal sites can authenticate new and existing users with popular social networks, map user profile data from these websites to Drupal fields, and share Drupal content with a user's friends on their social networks. The module permanently retains the...
SA-CONTRIB-2012-054 - Chaos tool suite - Cross Site Scripting (XSS)
CVE: CVE-2012-2082 This suite is primarily a set of APIs and tools to improve the developer experience. It also contains a module called the Page Manager whose job is to manage pages. In particular it manages panel pages, but as it grows it will be able to manage far more than just Panels. The...
SA-CONTRIB-2012-012 - Quicktabs - Cross Site Scripting (XSS)
CVE: CVE-2012-1637 The Quick Tabs module allows users to create blocks of tabbed content, specifying a title for the block and the individual tabs. Quick Tabs does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability. This vulnerability is mitigate...
Drupal core - Cross site request forgeries
Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit...
Obfuscate - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-033
This module enables you to obfuscate email addresses in content. The module doesn't sufficiently sanitize user input via the Twig filter. This vulnerability is mitigated by the fact that it only affects sites using the ROT13 encoding and where an attacker can enter content that is filtered using...
File Access Fix (deprecated) - Moderately critical - Access bypass - SA-CONTRIB-2026-020
This module moves files to and from private storage depending on the access of its owning entities. The module does not sufficiently incorporate the results of hookfiledownload when a custom or contrib module implements that hook leading to access bypass...
Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066
This module enables you to pay for Commerce order to an environment provided and secured by the bank The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed...
Single Content Sync - Moderately critical - Access bypass - SA-CONTRIB-2025-060
This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly. While the export feature rightfully bypasses...
Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050
Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability ...
OAuth Client & OpenID Connect SSO | OAuth/OIDC Login - Critical - Cross Site Scripting - SA-CONTRIB-2024-067
This module enables you to authenticate users through an Identity Provider IdP or OAuth Server, allowing them to log in to your Drupal site. The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is...
Opigno module - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-028
The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training. In the opignomodule module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution RCE and/or Cross Site...
Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012
This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission. The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fa...
Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002
The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter. The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting XSS vulnerability. This vulnerability is mitigate...
Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053
The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of...
AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018
This module provides social media share & follow buttons. The module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block. This vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific...
Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055
This module enables you to restrict content via taxonomy terms and related permissions. The module doesn't sufficiently restrict cached content in certain circumstances. This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module...
Webform - Critical - Remote Code Execution - SA-CONTRIB-2020-011
This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently filter webform element properties attributes under the scenario of editing a webform. Malicious user could craft such an attribute elementvalidate, for example that would invoke execution of undesired PH...
Workflow - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-049
The Workflow module enables you to create arbitrary Workflows, and assign them to Entities. The module doesn't sufficiently escape HTML in the field settings leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
Doubleclick for Publishers (DFP) - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-002
This module enables you to to place advertisements on your site that are served by Google's DFP Doubleclick for Publisher service. The module has multiple Cross Site Scripting XSS vulnerabilities due to not sufficiently escaped fields. The "administer DFP" permission is not marked as restricted...
MAYO theme - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-164
MAYO theme enables you to change certain theme settings via the administration interface. Some theme settings aren't sufficiently sanitized. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers issued CVE-2015-8233...
CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094
CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause...
Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085
Invoice module allows you to create invoices in Drupal. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create,...
SA-CONTRIB-2015-067 - Finder - Open Redirect
Finder module allows you to create flexible faceted search forms to find entities such as nodes or users based on the values of fields and database attributes. The provided function finderformgoto is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the...
SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)
Webform enables you to create surveys, personalized contact forms, contests, and the like. Cross Site Scripting Related to Webform Submissions The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch onl...
SA-CONTRIB-2015-043 - Commerce Balanced Payments - Multiple vulnerabilities
Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service. The module doesn't sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability. Also, some URLs were not protected...
SA-CONTRIB-2015-029 - Corner - Cross Site Request Forgery (CSRF) - Unsupported
This module enables you to add configurable corners to your site. A malicious user can cause an administrator to enable and disable corners by getting the administrator's browser to make a request to a specially-crafted URL while the administrator is logged in. CVE identifiers issued CVE-2015-337...
SA-CONTRIB-2015-026 - Taxonews - Cross Site Scripting (XSS)
This module enables you to create blocks of nodes carrying a given taxonomy term. The module doesn't sufficiently escape term names in the blocks it builds leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect
This module enables users to change the currency of Ubercart products. When switching the currency, the user is redirected to a page specified in the destination query parameter. The module was not checking that the passed argument was an internal URL, thereby leading to an open redirect...
SA-CONTRIB-2015-022 - nodeauthor - Cross Site Scripting (XSS) - Unsupported
This module displays node author information in a jQuery slider. The module doesn't sufficiently sanitize Profile2 fields in a provided block. This vulnerability is mitigated by the fact that an attacker must have a user account allowed to edit profile fields. CVE identifiers issued CVE-2015-3365...
SA-CONTRIB-2015-020 - Contact Form Fields - Cross Site Request Forgery (CSRF)
The Contact Form Fields module enables you to create additional fields to site-wide contact form. Some links were not properly protected from CSRF. A malicious user could cause an administrator to delete fields by getting the administrator's browser to make a request to a specially-crafted URL...
SA-CONTRIB-2015-012 - Jammer - Cross Site Request Forgery (CSRF)
This module enables you to hide or remove items from displaying including the node and comment preview buttons, node delete button, revision log textarea, workflow form on the workflow tab, and feed icon. The report administration links are not properly protected from CSRF. A malicious user could...
SA-CONTRIB-2015-008 - Batch Jobs - Cross Site Request Forgery (CSRF)
The Batch Jobs project is a scalable way to execute a list of tasks. Links that take actions on batch jobs are not protected from Cross Site Request Forgery CSRF. A malicious individual could cause a user that has permission to access a particular batch job or an administrator to delete the recor...
SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)
Course module enables you to create e-learning courses with any number of requirements for completion. The module doesn't sufficiently filter node title displays when being used in a course. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to creat...
SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass
The freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as pluginname:identifier. The module doesn't sufficiently check access to content when displaying links to nodes...
SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)
The module allows you to define and manage custom meta tags. The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page. This vulnerability is mitigated by the fact that an attacker must have access to an accoun...
SA-CONTRIB-2014-034 - Custom Search - Cross Site Scripting
The Custom Search module alters the default search box to provide additional search filtering options and control. Custom Search contains a persistent cross-site scripting XSS vulnerability due to the fact that it fails to sanitize filter labels before display. This vulnerability is mitigated by...
SA-CONTRIB-2014-023 - Project Issue File Review - XSS
The Project Issue File Review PIFR module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development. Two scenarios were identified where the module does not sufficiently sanitize...
SA-CONTRIB-2013-091 - Groups, Communities and Co (GCC) - Access Bypass
This module enables you to manage groups and assign content and users to groups. The module doesn't sufficiently check permissions to some of the configuration pages allowing unprivileged users to access the roles and permissions pages of the GCC module. CVE identifiers issued CVE-2013-4598...
SA-CONTRIB-2013-084 - FileField Sources - Access Bypass
This module expands on the FileField module by allowing you to select new or existing files through additional means, such as re-using files with an auto-complete textfield, attaching server-side files uploaded via FTP, transferring file files from a remote server, pasting a file directly from th...
SA-CONTRIB-2013-078 - Quick Tabs - Access Bypass
The Quick Tabs module allows you to create blocks of tabbed content, specifically views, blocks, nodes and other quicktabs. You can create a block on your site containing multiple tabs with corresponding content. The module does not sufficiently check block permissions before rendering a Quick Ta...
SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)
The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module incorrectly prints some view configuration fields without proper sanitization opening a Cross-Site Scripting...
SA-CONTRIB-2013-032 - Company theme - Cross Site Scripting (XSS)
This third-party contributed theme changes Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...
SA-CONTRIB-2013-015 - Manager Change for Organic Groups - Cross site scripting (XSS)
This module extends Organic Groups to allow the manager of a group to select a new manager for their group ie if they want to leave the group. The autocomplete field for selecting a new manager didn't properly filter usernames. The vulnerability is mitigated by the fact that Drupal's default...