Password Reset Landing Page (PRLP) - Highly critical - Access bypass - SA-CONTRIB-2020-021

This module enables you to force a password update when using password reset link. The module doesn't sufficiently validate the login URL allowing a malicious user to use a specially crafted URL to log in as another user...

Commerce Core - Moderately critical - Access bypass - SA-CONTRIB-2020-020

Drupal Commerce is used to build eCommerce websites and applications. It's possible to configure commerce to permit orders by anonymous users. In this configuration, customers who do not choose to create an account upon checkout completion remain anonymous, and the resulting orders are never...

Drupal core - Moderately critical - Open Redirect - SA-CORE-2020-003

Drupal 7 has an Open Redirect vulnerability. For example, a user could be tricked into visiting a specially crafted link which would redirect them to an arbitrary external URL. The vulnerability is caused by insufficient validation of the destination query parameter in the drupalgoto function...

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2020-002

The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are ... security issues in jQuery’s DOM manipulation methods, as in .html, .append, and the others. Security advisories for...

Webform - Critical - Access bypass - SA-CONTRIB-2020-018

This webform module enables you to build a 'Term checkboxes' element. The module doesn't sufficiently check term 'view' access when rendering 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term checkboxes' element...

reCAPTCHA v3 - Critical - Access bypass - SA-CONTRIB-2020-019

The reCaptcha v3 module enables you to protect your forms using the Google reCaptcha V3. If the reCaptcha v3 challenge succeeds, all the other form validations are bypassed. This makes it possible for attackers to submit invalid or incomplete forms. This vulnerability only affects forms that are...

Webform - Critical - Remote Code Execution - SA-CONTRIB-2020-011

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently filter webform element properties attributes under the scenario of editing a webform. Malicious user could craft such an attribute elementvalidate, for example that would invoke execution of undesired PH...

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-014

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript cod...

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-017

This module enables you to build forms and surveys in Drupal. The Webform Node sub-module allows these forms to be associated with a Drupal node. The Webform Node module does not implement access checking in the same manner as other nodes and entities. As such, writers of custom modules which...

Webform - Critical - Access bypass - SA-CONTRIB-2020-016

This webform module enables you to build 'Term select' and 'Term checkboxes' elements. The module doesn't sufficiently check term 'view' access when rendering the 'Term select' and 'Term checkboxes' elements. Unpublished terms will always appear in the 'Term select' and 'Term checkboxes' elements...

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-015

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label w...

Webform - Moderately critical - Access bypass - SA-CONTRIB-2020-012

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently validate data submitted into Webform Signature element during webform submission creation. This allows a malicious user to generate and extract HMAC hashes for arbitrary data. Such HMAC hashes are used...

Webform - Moderately critical - Cross site scripting - SA-CONTRIB-2020-013

The Webform module allows site builders to create forms. The module doesn't sufficiently prevent malicious code from being render via an options elements i.e select menu, checkboxes, radios, etc... under the scenario where the site builder allows the raw option value to be displayed. This...

JSON:API - Critical - Unsupported - SA-CONTRIB-2020-010

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The security team and module maintainers are marking this project unsupported. Both the 8.x-1.x and 8.x-2.x versions are unsupported, and users of either version are...

Spamicide - Critical - Access bypass - SA-CONTRIB-2020-009

The Spamicide module protects Drupal forms with a form field that is hidden from normal users, but visible to spam bots. The module doesn't require appropriate permissions for administrative pages leading to an Access Bypass...

Svg Image - Critical - Cross site scripting - SA-CONTRIB-2020-008

SVG Image module allows to upload SVG files. The module did not sufficiently protect against malicious code inside SVG files leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to upload an SVG file...

Drupal core - Moderately critical - Third-party library - SA-CORE-2020-001

The Drupal project uses the third-party library CKEditor, which has released a security improvement that is needed to protect some Drupal configurations. Vulnerabilities are possible if Drupal is configured to use the WYSIWYG CKEditor for your site's users. An attacker that can create or edit...

CKEditor 4 - WYSIWYG HTML editor - Moderately critical - Cross site scripting - SA-CONTRIB-2020-007

The CKEditor module and its predecessor, FCKeditor module allows Drupal to replace textarea fields with CKEditor 3.x/4.x FCKeditor 2.x in case of FCKeditor module - a visual HTML editor, sometimes called WYSIWYG editor. Due to the usage of the JavaScript eval function on non-filtered data in admi...

SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006

This module enables you to authenticate Drupal users using an external SAML Identity Provider. If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesn't sufficiently enforce the administrative approval requirement, in the...

SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005

SVG Formatter module provides support for using SVG images on your website. This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab. This vulnerability is mitigated by the fact that an attacker must be able to upload SVG fil...

Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004

The Profile module enables you to allow users to have configurable user profiles. The module doesn't sufficiently check access when creating a user profile. Users with the "create profiles" permission could create profiles for any users...

Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Views Bulk Operations provides enhancements to running bulk actions on views. The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to. This vulnerability is mitigated by the fact that it only occurs in the case of...

SpamSpan filter - Moderately critical - Cross site scripting - SA-CONTRIB-2020-002

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. This module contains a spamspan twig filter which doesn't sanitize the passed HTML string. This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpa...

Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in. The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu. This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the...

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

Drupal 8 core's filesaveupload function does not strip the leading and trailing dot '.' from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to...

Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt...

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012

The Drupal project uses the third-party library ArchiveTar, which has released a security improvement that is needed to protect some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. The lates...

Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011

The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations...

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095

The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms. The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists...

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

This module enables you to create forms to collect information from users and report, analyze and distribute it by email. The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can...

Modal - Moderately critical - Access bypass - SA-CONTRIB-2019-094

This project enables administrators to create modal dialogs. The routes used by the module lacked proper permissions, allowing untrusted users to access, create and modify modal configurations...

Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093

This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. if certain administrative routes should be access controlled, defaulting to...

Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092

The Smart Trim module allows site builders additional control with text summary fields. The module doesn't sufficiently filter text when certain options are selected. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when...

Feeds JSONPath Parser - Critical - Unsupported - SA-CONTRIB-2019-083

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported Update: Feeds Jsonpat...

Field Slideshow - Less critical - Cross site scripting - SA-CONTRIB-2019-082

This module enables you to output a field as a slideshow. The module doesn't sufficiently filter strings added to the fields leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have the ability to create content which is output as...

Floating Button Menu - Critical - Unsupported - SA-CONTRIB-2019-091

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Webform Multiple File Upload - Critical - Unsupported - SA-CONTRIB-2019-090

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Make Meeting Scheduler - Critical - Unsupported - SA-CONTRIB-2019-087

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Bugsnag - Critical - Unsupported - SA-CONTRIB-2019-081

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Commerce Ingenico - Critical - Unsupported - SA-CONTRIB-2019-089

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

SendinBlue - Critical - Access bypass - SA-CONTRIB-2019-088

Update: This module had an access bypass vulnerability which has now been addressed by the module’s current maintainers. Original description The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you...

Noggin - Critical - Unsupported - SA-CONTRIB-2019-080

Update - 2021-01-22 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/noggin/releases/7.x-1.2 to resolve the issue. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the...

Administration Views - Moderately critical - Access bypass - SA-CONTRIB-2019-076

This module replaces administrative overview/listing pages with actual views for superior usability. The module doesn't sufficiently check user access when using the "Menu system path" access handler on a Views displays other than "System". Update: This project had been unsupported due to this...

Bypass Form Validations - Critical - Unsupported - SA-CONTRIB-2019-079

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Nodequeue - Critical - Cross Site Scripting - SA-CONTRIB-2019-085

Updated November 22. This module enables you to collect nodes in an arbitrarily ordered list. Nodequeue's JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loade...

Nexus Theme - Critical - Unsupported - SA-CONTRIB-2019-078

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Frequently Asked Questions - Critical - Unsupported - SA-CONTRIB-2019-077

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Webform Report - Critical - Unsupported - SA-CONTRIB-2019-086

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

Taxonomy CSV import/export - Moderately critical - Information disclosure - SA-CONTRIB-2019-084

Updated January 9th, 2020 This module enables you to import taxonomy terms from different sources, including a text area, a file upload or a file present in the web server. The module doesn't sufficiently validate user input when providing a local filename to import. This vulnerability is mitigat...

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Open Social is a Drupal distribution for online communities. The included socialmagiclogin module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge...