Lucene search
K
DrupalMost viewed

1940 matches found

Drupal
Drupal
added 2012/10/24 12:0 a.m.23 views

SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS)

This module provides integration with the MailChimp email delivery service. There are two issues with the webhook processing, which is exposed as an API in mailchimp.module and used by mailchimplists.module to update subscriber information. The webhook URL key can be trivially calculated. Webhook...

4.3CVSS6.4AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2012/08/15 12:0 a.m.23 views

SA-CONTRIB-2012-126 - Hotblocks - Cross Site Scripting (XSS) and Denial of Service (DoS)

The Hotblocks module provides an enhanced GUI for administering blocks and block content that is intended to be simpler and more controllable for less privileged users than the default block administration tools. Cross Site Scripting XSS The module doesn't sufficiently sanitize the user input for...

5.4AI score
Exploits0References9
Drupal
Drupal
added 2012/06/13 12:0 a.m.23 views

SA-CONTRIB-2012-101 - Protected Node - Access Bypass

The Protected Node module enables users to use a password to restrict access to an individual node or all nodes of a node type. The module doesn't sufficiently protect node access when nodes are accessed outside of the standard node view i.e. node/1 is protected but other lists are not. CVE:...

7.5CVSS6.5AI score0.02641EPSS
Exploits0References10
Drupal
Drupal
added 2012/06/06 12:0 a.m.23 views

SA-CONTRIB-2012-091 - Token Authentication - Access bypass

The Token Authentication module provides a token for use in the URL to authenticate users to a site. Under certain uncommon situations, the module may not revert a user's session properly. Depending on how tokenauth is used, this could result in subsequent requests being performed as a user with...

5CVSS6.4AI score0.02422EPSS
Exploits0References9
Drupal
Drupal
added 2012/05/30 12:0 a.m.23 views

SA-CONTRIB-2012-087 - Comment Moderation - Cross Site Request Forgery

This module enables you to moderate comments in an accelerated way, by providing a complete interface and all useful actions in a unique page. The module doesn't sufficiently protect the publish link URL, thus a Cross Site Request Forgery CSRF attack against an administrator could result in...

6.8CVSS6.5AI score0.00779EPSS
Exploits1References11
Drupal
Drupal
added 2012/05/16 12:0 a.m.23 views

SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting

CVE: CVE-2012-2907. The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by...

2.6CVSS5.6AI score0.0135EPSS
Exploits0References12
Drupal
Drupal
added 2012/05/16 12:0 a.m.23 views

SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)

CVE: CVE-2012-2705. The function filtertitles incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue. Versions affected...

2.1CVSS6.3AI score0.01607EPSS
Exploits0References11
Drupal
Drupal
added 2012/05/09 12:0 a.m.23 views

SA-CONTRIB-2012-074 - Contact Forms - Access Bypass

CVE: CVE-2012-2340 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form without a drop down menu with a unique path for each of the contact form categories. The module allowed users to edit the Contact...

3.5CVSS6.1AI score0.01271EPSS
Exploits0References10
Drupal
Drupal
added 2012/05/02 12:0 a.m.23 views

SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported

CVE: CVE-2012-2309 This module generates internal node to node, node to taxonomy or node to external URL links crosslinks automatically - ideal for SEO of your site's pages and partner pages. This module does not protect against an Cross Site Scripting XSS attack. The vulnerability is mitigated b...

3.5CVSS5.6AI score0.00936EPSS
Exploits0References7
Drupal
Drupal
added 2012/04/18 12:0 a.m.23 views

SA-CONTRIB-2012-060 - Commerce Reorder - Cross Site Request Forgery

CVE: CVE-2012-2116 The Commerce Reorder module enables you to reorder previously purchased products for Drupal Commerce. The module does not sufficiently protect the re-order URL against Cross Site Request Forgery CSRF, allowing a malicious user to trick someone into adding unwanted items to thei...

6.8CVSS6.4AI score0.00984EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/28 12:0 a.m.23 views

SA-CONTRIB-2012-044 - Contact Forms - Cross Site Scripting

CVE: CVE-2012-2071 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form with a unique path, for each of the contact form categories. The module doesn't sufficiently filter user text of the page title a...

2.1CVSS5.4AI score0.01064EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/28 12:0 a.m.23 views

SA-CONTRIB-2012-053 - Organic Groups - Access Bypass

CVE: CVE-2012-2081 Organic groups OG enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module's Views integration does not filter out information from display groups to whic...

5CVSS6.1AI score0.01563EPSS
Exploits0References11
Drupal
Drupal
added 2012/03/07 12:0 a.m.23 views

SA-CONTRIB-2012-031 - Multiple Modules Unsupported - UC PayDutchGroup - Information leakage and Multisite Search sql injection

CVE: CVE-2012-1655 UC PayDutchGroup / WeDeal payment integrates the PayDutchGroup / WeDeal payment gateway with Ubercart. The module exposes account credentials for the store's PayDutchGroup account under certain circumstances allowing a malicious user to login to the PayDutchGroup site as the...

6.8CVSS7.4AI score0.01271EPSS
Exploits0References10
Drupal
Drupal
added 2012/01/18 12:0 a.m.23 views

SA-CONTRIB-2012-009 - Revisioning - Access bypass

CVE: CVE-2012-1635 This module enables you to create moderation publication workflows, allowing authors to create content that isn't visible to the public until it has been approved by a moderator/publisher. The module's implementation of hooknodeaccess assumes that access is to granted/denied...

6.4CVSS6.4AI score0.01358EPSS
Exploits0References10
Drupal
Drupal
added 2012/01/04 12:0 a.m.23 views

SA-CONTRIB-2012-003 - Fill PDF - Multiple vulnerabilities

CVE: CVE-2012-1625 This module enables you to populate fillable PDF templates with data from nodes and webforms. Access bypass 7.x only Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger any PDF to...

6CVSS6.5AI score0.01067EPSS
Exploits0References12
Drupal
Drupal
added 2011/06/29 12:0 a.m.23 views

SA-CONTRIB-2011-026 - Secure Password Hashes (phpass) - Multiple Vulnerabilities

This module uses the PHPass hashing library to try to store users hashed passwords securely. The module sets a fixed string for the 'pass' column in the users database column but does not replace the pass attribute of the account object used for password reset links. This leads to a vulnerability...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2010/01/13 12:0 a.m.23 views

SA-CONTRIB-2010-005 - Own Term - Cross site scripting

The Own Term module allows users to create taxonomy terms in a designated vocabulary and when creating content this term is automatically added to the node. The module does not sanitize the term description on a term listing page which opens a cross-site scripting XSS attack. Users with a role...

6AI score
Exploits0References5
Drupal
Drupal
added 2006/03/13 12:0 a.m.23 views

DRUPAL-SA-2006-003 Session fixation vulnerability

If someone creates a clever enough URL and convinces you to click on it, and you later log in but you do not log off then the attacker may be able to impersonate you. Versions affected All Drupal versions before 4.6.6. Solution The fix to this issue requires PHP 4.3.2 or higher, which is higher...

7AI score
Exploits0References3
Drupal
Drupal
added 2025/07/09 12:0 a.m.22 views

Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088

This module enables users to login by email address with the minimal configurations. The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an...

9.8CVSS6.9AI score0.00464EPSS
Exploits0References3
Drupal
Drupal
added 2025/06/25 12:0 a.m.22 views

Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting XSS attacks. This...

4.3CVSS5.5AI score0.00216EPSS
Exploits0References1
Drupal
Drupal
added 2025/05/07 12:0 a.m.22 views

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent. The cookiesassetinjector module a sub-module of the COOKiES module also allows inline JavaScript to be included in consent management. However, this...

6.1CVSS6.6AI score0.00195EPSS
Exploits0References2
Drupal
Drupal
added 2025/04/16 12:0 a.m.22 views

Simple GTM - Critical - Unsupported - SA-CONTRIB-2025-037

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9CVSS6.9AI score0.00282EPSS
Exploits0References2
Drupal
Drupal
added 2025/04/16 12:0 a.m.22 views

Google Maps: Store Locator - Critical - Unsupported - SA-CONTRIB-2025-038

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9CVSS6.9AI score0.00282EPSS
Exploits0References2
Drupal
Drupal
added 2025/04/02 12:0 a.m.22 views

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028

This module enables users to log in using a short access code instead of providing a username/password combination. The module doesn't sufficiently protect against brute force attacks to guess a user's access code. This vulnerability is mitigated by the fact that access code based logins are off ...

4.8CVSS7.2AI score0.00254EPSS
Exploits0References2
Drupal
Drupal
added 2025/03/05 12:0 a.m.23 views

AI (Artificial Intelligence) - Moderately critical - Gadget Chain - SA-CONTRIB-2025-022

The AI Automators module a submodule of AI enables you to create different automated tasks that fills out a field data using LLM outputs. The module contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Deletion. It may be...

6.6CVSS8AI score0.00721EPSS
Exploits0References2
Drupal
Drupal
added 2025/02/12 12:0 a.m.22 views

Configuration Split - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-017

This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling or disabling a split. This vulnerability is...

6.8CVSS7.1AI score0.0018EPSS
Exploits0References1
Drupal
Drupal
added 2024/08/07 12:0 a.m.22 views

Opigno group manager - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-027

The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one. An administrati...

5.5CVSS7.1AI score0.00254EPSS
Exploits0References7
Drupal
Drupal
added 2024/04/24 12:0 a.m.22 views

REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018

The Rest views module lets site admins create rest exports in views with additional options for serializing data. This module does not accurately check access and may expose paths to unpublished content. This vulnerability is mitigated by the fact that there must be a specific content structure t...

7.5CVSS6.9AI score0.00481EPSS
Exploits0References6
Drupal
Drupal
added 2023/12/20 12:0 a.m.22 views

Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055

This module allows you to turn various data sources Eg CSV or JSON file into interactive visualisation. The DVF module provides a field storage, widget & formatter that can be added to any entity. This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2022/08/24 12:0 a.m.22 views

Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053

This module enables you to accept payments from the Elavon payment provider. The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon On-site payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2022/05/04 12:0 a.m.22 views

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Image Field Caption imagefieldcaption adds an extra text area for captions on image fields. The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting XSS vulnerability. The vulnerability is mitigated by several permissions, of which at least some are commonly...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2022/04/12 12:0 a.m.22 views

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs. The risk is mitigated by the fact that, even though the attacker can bypass the...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2021/06/23 12:0 a.m.22 views

Opigno Learning path - Less critical - UI redressing (clickjacking) - SA-CONTRIB-2021-018

This project is related to Opigno LMS distribution. It implements the learning path, that combines together in a very flexible way the differents steps of a training in Opigno LMS. The module does not set X-Frame-Options and blocks ability of other modules e.g Security Kit to add them, leaving it...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2019/01/09 12:0 a.m.22 views

Aegir HTTPS - Moderately critical - Access bypass - SA-CONTRIB-2019-003

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform. This module...

6.6AI score
Exploits0References10
Drupal
Drupal
added 2018/10/17 12:0 a.m.22 views

Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published. In some conditions, content moderation fails to check a users access to use certain transitions, leadin...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2018/06/27 12:0 a.m.22 views

TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044

The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms. The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2017/12/06 12:0 a.m.22 views

Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration. This...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2016/11/30 12:0 a.m.22 views

Elysia Cron - Critical - Arbitrary PHP code execution - SA-CONTRIB-2016-062

This module enables you to manage cron jobs. The module allows users with the permission "Administer elysia cron" to execute arbitrary PHP code via cron. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron". This permission is...

7.9AI score
Exploits0References12
Drupal
Drupal
added 2015/12/16 12:0 a.m.22 views

Block Class - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-175

This module enables you to add custom classes to blocks. The module doesn't sufficiently scrub class names written by a malicious block class administrator. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer block classes". CVE identifier...

5.4CVSS5.2AI score0.01116EPSS
Exploits0References11
Drupal
Drupal
added 2015/05/20 12:0 a.m.22 views

Shipwire - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111

The Shipwire API module handles communication with the Shipwire shipping service. The Shipwire module doesn't check view permission for the shipments overview page when installed admin/shipwire/shipments. Limited non-public information is displayed on the page. CVE identifiers issued CVE-2015-549...

5CVSS6.3AI score0.01396EPSS
Exploits0References10
Drupal
Drupal
added 2015/05/06 12:0 a.m.22 views

Webform Matrix Component - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-107

The Webform Matrix Component module is an extension of the Webform module that adds Matrix and Table components. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must ha...

3.5CVSS6AI score0.00954EPSS
Exploits0References11
Drupal
Drupal
added 2015/04/29 12:0 a.m.22 views

Camtasia Relay - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100

This module enables you to integrate your Drupal site with TechSmith Relay software. The module doesn't sufficiently sanitize user input under the meta access tab. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view meta information". CVE...

4.3CVSS6.2AI score0.01184EPSS
Exploits0References13
Drupal
Drupal
added 2015/04/22 12:0 a.m.22 views

HybridAuth Social Login - Less Critical - Information Disclosure - SA-CONTRIB-2015-097

HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module may store user passwords in plain text. This vulnerability is mitigated by the fact that the option "Ask user for...

3.5CVSS6.3AI score0.00981EPSS
Exploits0References11
Drupal
Drupal
added 2015/04/01 12:0 a.m.22 views

EntityBulkDelete - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-089

EntityBulkDelete module allows you to delete entities in bulk using the Batch API. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must be...

4.3CVSS6AI score0.01184EPSS
Exploits0References10
Drupal
Drupal
added 2015/04/01 12:0 a.m.22 views

Current Search Links - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-091

Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search. The module doesn't sufficiently sanitize the entered search query, thereby...

2.6CVSS5.7AI score0.01178EPSS
Exploits0References10
Drupal
Drupal
added 2015/02/25 12:0 a.m.22 views

SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS)

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting XSS vulnerability. This...

3.5CVSS5.7AI score0.01402EPSS
Exploits0References11
Drupal
Drupal
added 2015/02/25 12:0 a.m.22 views

SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported

Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site. The module doesn't validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing...

5.8CVSS6.2AI score0.01516EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/18 12:0 a.m.22 views

SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass

Services Basic Authentication module adds HTTP basic authentication for Services module. A user could get unauthorized access to resources under some circumstances. This vulnerability is mitigated by the fact that the authentication works correctly when page caching is disabled. CVE identifiers...

5CVSS6.7AI score0.01439EPSS
Exploits0References15
Drupal
Drupal
added 2015/02/04 12:0 a.m.22 views

SA-CONTRIB-2015-035 - Ajax Timeline - Cross Site Scripting (XSS)

Ajax Timeline module enables you to display a vertical timeline of nodes based off a date field or created date of the configured nodes. The module doesn't sufficiently escape node titles when displaying the timeline, allowing a malicious user to inject code. This vulnerability is mitigated by th...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/21 12:0 a.m.22 views

SA-CONTRIB-2015-024 - Alfresco - Cross Site Request Forgery (CSRF)

The Alfresco module provides integration between Drupal and Alfresco via Content Management Web Services SOAP and Repository RESTful API. The Alfresco Browser submodule provides an AJAX-based repository browser that allows users to visualize, upload, search and retrieve nodes from the Alfresco...

5.8CVSS6.2AI score0.00656EPSS
Exploits0References9
Total number of security vulnerabilities1940