1940 matches found
SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS)
This module provides integration with the MailChimp email delivery service. There are two issues with the webhook processing, which is exposed as an API in mailchimp.module and used by mailchimplists.module to update subscriber information. The webhook URL key can be trivially calculated. Webhook...
SA-CONTRIB-2012-126 - Hotblocks - Cross Site Scripting (XSS) and Denial of Service (DoS)
The Hotblocks module provides an enhanced GUI for administering blocks and block content that is intended to be simpler and more controllable for less privileged users than the default block administration tools. Cross Site Scripting XSS The module doesn't sufficiently sanitize the user input for...
SA-CONTRIB-2012-101 - Protected Node - Access Bypass
The Protected Node module enables users to use a password to restrict access to an individual node or all nodes of a node type. The module doesn't sufficiently protect node access when nodes are accessed outside of the standard node view i.e. node/1 is protected but other lists are not. CVE:...
SA-CONTRIB-2012-091 - Token Authentication - Access bypass
The Token Authentication module provides a token for use in the URL to authenticate users to a site. Under certain uncommon situations, the module may not revert a user's session properly. Depending on how tokenauth is used, this could result in subsequent requests being performed as a user with...
SA-CONTRIB-2012-087 - Comment Moderation - Cross Site Request Forgery
This module enables you to moderate comments in an accelerated way, by providing a complete interface and all useful actions in a unique page. The module doesn't sufficiently protect the publish link URL, thus a Cross Site Request Forgery CSRF attack against an administrator could result in...
SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting
CVE: CVE-2012-2907. The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by...
SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)
CVE: CVE-2012-2705. The function filtertitles incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue. Versions affected...
SA-CONTRIB-2012-074 - Contact Forms - Access Bypass
CVE: CVE-2012-2340 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form without a drop down menu with a unique path for each of the contact form categories. The module allowed users to edit the Contact...
SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported
CVE: CVE-2012-2309 This module generates internal node to node, node to taxonomy or node to external URL links crosslinks automatically - ideal for SEO of your site's pages and partner pages. This module does not protect against an Cross Site Scripting XSS attack. The vulnerability is mitigated b...
SA-CONTRIB-2012-060 - Commerce Reorder - Cross Site Request Forgery
CVE: CVE-2012-2116 The Commerce Reorder module enables you to reorder previously purchased products for Drupal Commerce. The module does not sufficiently protect the re-order URL against Cross Site Request Forgery CSRF, allowing a malicious user to trick someone into adding unwanted items to thei...
SA-CONTRIB-2012-044 - Contact Forms - Cross Site Scripting
CVE: CVE-2012-2071 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form with a unique path, for each of the contact form categories. The module doesn't sufficiently filter user text of the page title a...
SA-CONTRIB-2012-053 - Organic Groups - Access Bypass
CVE: CVE-2012-2081 Organic groups OG enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module's Views integration does not filter out information from display groups to whic...
SA-CONTRIB-2012-031 - Multiple Modules Unsupported - UC PayDutchGroup - Information leakage and Multisite Search sql injection
CVE: CVE-2012-1655 UC PayDutchGroup / WeDeal payment integrates the PayDutchGroup / WeDeal payment gateway with Ubercart. The module exposes account credentials for the store's PayDutchGroup account under certain circumstances allowing a malicious user to login to the PayDutchGroup site as the...
SA-CONTRIB-2012-009 - Revisioning - Access bypass
CVE: CVE-2012-1635 This module enables you to create moderation publication workflows, allowing authors to create content that isn't visible to the public until it has been approved by a moderator/publisher. The module's implementation of hooknodeaccess assumes that access is to granted/denied...
SA-CONTRIB-2012-003 - Fill PDF - Multiple vulnerabilities
CVE: CVE-2012-1625 This module enables you to populate fillable PDF templates with data from nodes and webforms. Access bypass 7.x only Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger any PDF to...
SA-CONTRIB-2011-026 - Secure Password Hashes (phpass) - Multiple Vulnerabilities
This module uses the PHPass hashing library to try to store users hashed passwords securely. The module sets a fixed string for the 'pass' column in the users database column but does not replace the pass attribute of the account object used for password reset links. This leads to a vulnerability...
SA-CONTRIB-2010-005 - Own Term - Cross site scripting
The Own Term module allows users to create taxonomy terms in a designated vocabulary and when creating content this term is automatically added to the node. The module does not sanitize the term description on a term listing page which opens a cross-site scripting XSS attack. Users with a role...
DRUPAL-SA-2006-003 Session fixation vulnerability
If someone creates a clever enough URL and convinces you to click on it, and you later log in but you do not log off then the attacker may be able to impersonate you. Versions affected All Drupal versions before 4.6.6. Solution The fix to this issue requires PHP 4.3.2 or higher, which is higher...
Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088
This module enables users to login by email address with the minimal configurations. The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an...
Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080
Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting XSS attacks. This...
COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049
The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent. The cookiesassetinjector module a sub-module of the COOKiES module also allows inline JavaScript to be included in consent management. However, this...
Simple GTM - Critical - Unsupported - SA-CONTRIB-2025-037
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Google Maps: Store Locator - Critical - Unsupported - SA-CONTRIB-2025-038
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028
This module enables users to log in using a short access code instead of providing a username/password combination. The module doesn't sufficiently protect against brute force attacks to guess a user's access code. This vulnerability is mitigated by the fact that access code based logins are off ...
AI (Artificial Intelligence) - Moderately critical - Gadget Chain - SA-CONTRIB-2025-022
The AI Automators module a submodule of AI enables you to create different automated tasks that fills out a field data using LLM outputs. The module contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Deletion. It may be...
Configuration Split - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-017
This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling or disabling a split. This vulnerability is...
Opigno group manager - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-027
The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one. An administrati...
REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018
The Rest views module lets site admins create rest exports in views with additional options for serializing data. This module does not accurately check access and may expose paths to unpublished content. This vulnerability is mitigated by the fact that there must be a specific content structure t...
Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055
This module allows you to turn various data sources Eg CSV or JSON file into interactive visualisation. The DVF module provides a field storage, widget & formatter that can be added to any entity. This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the...
Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053
This module enables you to accept payments from the Elavon payment provider. The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon On-site payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment...
Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036
Image Field Caption imagefieldcaption adds an extra text area for captions on image fields. The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting XSS vulnerability. The vulnerability is mitigated by several permissions, of which at least some are commonly...
Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033
The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs. The risk is mitigated by the fact that, even though the attacker can bypass the...
Opigno Learning path - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-018
This project is related to Opigno LMS distribution. It implements the learning path, that combines together in a very flexible way the differents steps of a training in Opigno LMS. The module does not set X-Frame-Options and blocks ability of other modules e.g Security Kit to add them, leaving it...
Aegir HTTPS - Moderately critical - Access bypass - SA-CONTRIB-2019-003
Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform. This module...
Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067
The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published. In some conditions, content moderation fails to check a users access to use certain transitions, leadin...
TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044
The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms. The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This...
Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091
The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration. This...
Elysia Cron - Critical - Arbitrary PHP code execution - SA-CONTRIB-2016-062
This module enables you to manage cron jobs. The module allows users with the permission "Administer elysia cron" to execute arbitrary PHP code via cron. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron". This permission is...
Block Class - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-175
This module enables you to add custom classes to blocks. The module doesn't sufficiently scrub class names written by a malicious block class administrator. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer block classes". CVE identifier...
Shipwire - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111
The Shipwire API module handles communication with the Shipwire shipping service. The Shipwire module doesn't check view permission for the shipments overview page when installed admin/shipwire/shipments. Limited non-public information is displayed on the page. CVE identifiers issued CVE-2015-549...
Webform Matrix Component - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-107
The Webform Matrix Component module is an extension of the Webform module that adds Matrix and Table components. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must ha...
Camtasia Relay - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100
This module enables you to integrate your Drupal site with TechSmith Relay software. The module doesn't sufficiently sanitize user input under the meta access tab. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view meta information". CVE...
HybridAuth Social Login - Less Critical - Information Disclosure - SA-CONTRIB-2015-097
HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module may store user passwords in plain text. This vulnerability is mitigated by the fact that the option "Ask user for...
EntityBulkDelete - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-089
EntityBulkDelete module allows you to delete entities in bulk using the Batch API. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must be...
Current Search Links - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-091
Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search. The module doesn't sufficiently sanitize the entered search query, thereby...
SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS)
The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting XSS vulnerability. This...
SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported
Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site. The module doesn't validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing...
SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass
Services Basic Authentication module adds HTTP basic authentication for Services module. A user could get unauthorized access to resources under some circumstances. This vulnerability is mitigated by the fact that the authentication works correctly when page caching is disabled. CVE identifiers...
SA-CONTRIB-2015-035 - Ajax Timeline - Cross Site Scripting (XSS)
Ajax Timeline module enables you to display a vertical timeline of nodes based off a date field or created date of the configured nodes. The module doesn't sufficiently escape node titles when displaying the timeline, allowing a malicious user to inject code. This vulnerability is mitigated by th...
SA-CONTRIB-2015-024 - Alfresco - Cross Site Request Forgery (CSRF)
The Alfresco module provides integration between Drupal and Alfresco via Content Management Web Services SOAP and Repository RESTful API. The Alfresco Browser submodule provides an AJAX-based repository browser that allows users to visualize, upload, search and retrieve nodes from the Alfresco...