1940 matches found
Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003
Views Bulk Operations provides enhancements to running bulk actions on views. The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to. This vulnerability is mitigated by the fact that it only occurs in the case of...
SpamSpan filter - Moderately critical - Cross site scripting - SA-CONTRIB-2020-002
The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. This module contains a spamspan twig filter which doesn't sanitize the passed HTML string. This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpa...
Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001
Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in. The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu. This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the...
Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012
The Drupal project uses the third-party library ArchiveTar, which has released a security improvement that is needed to protect some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. The lates...
Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009
A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt...
Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011
The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations...
Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010
Drupal 8 core's filesaveupload function does not strip the leading and trailing dot '.' from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to...
Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095
The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms. The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists...
Modal - Moderately critical - Access bypass - SA-CONTRIB-2019-094
This project enables administrators to create modal dialogs. The routes used by the module lacked proper permissions, allowing untrusted users to access, create and modify modal configurations...
Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
This module enables you to create forms to collect information from users and report, analyze and distribute it by email. The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can...
Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092
The Smart Trim module allows site builders additional control with text summary fields. The module doesn't sufficiently filter text when certain options are selected. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when...
Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093
This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. if certain administrative routes should be access controlled, defaulting to...
Bypass Form Validations - Critical - Unsupported - SA-CONTRIB-2019-079
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Commerce Ingenico - Critical - Unsupported - SA-CONTRIB-2019-089
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Nodequeue - Critical - Cross Site Scripting - SA-CONTRIB-2019-085
Updated November 22. This module enables you to collect nodes in an arbitrarily ordered list. Nodequeue's JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loade...
Frequently Asked Questions - Critical - Unsupported - SA-CONTRIB-2019-077
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Nexus Theme - Critical - Unsupported - SA-CONTRIB-2019-078
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Webform Report - Critical - Unsupported - SA-CONTRIB-2019-086
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Administration Views - Moderately critical - Access bypass - SA-CONTRIB-2019-076
This module replaces administrative overview/listing pages with actual views for superior usability. The module doesn't sufficiently check user access when using the "Menu system path" access handler on a Views displays other than "System". Update: This project had been unsupported due to this...
Webform Multiple File Upload - Critical - Unsupported - SA-CONTRIB-2019-090
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
SendinBlue - Critical - Access bypass - SA-CONTRIB-2019-088
Update: This module had an access bypass vulnerability which has now been addressed by the module’s current maintainers. Original description The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you...
Feeds JSONPath Parser - Critical - Unsupported - SA-CONTRIB-2019-083
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported Update: Feeds Jsonpat...
Taxonomy CSV import/export - Moderately critical - Information disclosure - SA-CONTRIB-2019-084
Updated January 9th, 2020 This module enables you to import taxonomy terms from different sources, including a text area, a file upload or a file present in the web server. The module doesn't sufficiently validate user input when providing a local filename to import. This vulnerability is mitigat...
Field Slideshow - Less critical - Cross site scripting - SA-CONTRIB-2019-082
This module enables you to output a field as a slideshow. The module doesn't sufficiently filter strings added to the fields leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have the ability to create content which is output as...
Floating Button Menu - Critical - Unsupported - SA-CONTRIB-2019-091
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Bugsnag - Critical - Unsupported - SA-CONTRIB-2019-081
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Noggin - Critical - Unsupported - SA-CONTRIB-2019-080
Update - 2021-01-22 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/noggin/releases/7.x-1.2 to resolve the issue. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the...
Make Meeting Scheduler - Critical - Unsupported - SA-CONTRIB-2019-087
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...
Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075
Open Social is a Drupal distribution for online communities. The included socialmagiclogin module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge...
Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074
The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed. The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat even...
MaxLength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073
This module enables you to set a maximum length allowed on text fields and indicate how many characters are left. The module doesn't sufficiently filter strings leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact the malicious script will not be...
Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072
This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server. The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which m...
Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071
This module allows display of a site's content in AMP format. The module doesn't sufficiently check access on unpublished or restricted content...
Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070
The Ubercart module provides a shopping cart and e-commerce features for Drupal. The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a rol...
Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069
This module provides a new UI experience for node editing - Gutenberg editor. The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify...
Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068
This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes. The vulnerability is mitigated by the fact that the submodule Permissions by...
TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067
This module allows you to attach tabular data to an entity. There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities. This vulnerability is mitigated by the fact that an...
Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066
This module enables you to have a separate permission only for creating users. The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required". When this option is chosen, the module overrides the setting, and makes it...
Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065
This module that allows you to store external images on your server and apply your own Image Styles. The module exposes cookies to external sites when making external image requests. This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from...
scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061
The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node. The module does not sufficiently filter configuration text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with...
Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064
Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms. The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of i...
External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063
The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL. The module did not have protection for the Redirect URL to go where content authors intended...
Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062
This module improves the Drupal login page with the new features and layout. The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field. The vulnerability is mitigated by the fact it can only be exploited by a user wi...
Metatag - Moderately critical - Information disclosure - SA-CONTRIB-2019-058
This module enables you to customize meta tags to help with a site's search engine ranking and improve the display of page summaries when shared on social networks. The module doesn't sufficiently check for a site being in maintenance mode. This vulnerability is mitigated by the fact that the sit...
Facebook Messenger Customer Chat Plugin - Critical - Access bypass - SA-CONTRIB-2019-059
The Facebook Messenger Customer Chat Plugin module enables you to add the Facebook Messenger Customer Chat Plugin to your Drupal site. The module doesn't require user permissions on the admin page...
Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060
This module provides an autocomplete widget for text fields that suggests all existing previously entered values for that field. The module doesn't sufficiently check for proper access permission before returning autocomplete results. This vulnerability is mitigated by the fact that an attacker...
Drupal core - Critical - Access bypass - SA-CORE-2019-008
In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not...
Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057
Metatags quick is a module that manages meta tags tags that appear in HTML's head section as Drupal 7 fields. Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup. This...
ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056
The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize to import image styles into another...
Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055
This module enables you to add and manage additional custom permissions through the administration UI. The module doesn't sufficiently check for the proper access permissions to this page. This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions...