Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2020/02/05 12:0 a.m.18 views

Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Views Bulk Operations provides enhancements to running bulk actions on views. The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to. This vulnerability is mitigated by the fact that it only occurs in the case of...

6.9AI score
Exploits0References7
Drupal
Drupal
added 2020/01/22 12:0 a.m.36 views

SpamSpan filter - Moderately critical - Cross site scripting - SA-CONTRIB-2020-002

The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them. This module contains a spamspan twig filter which doesn't sanitize the passed HTML string. This vulnerability is mitigated by the fact that sites must have custom twig template files that use the SpamSpa...

6.4AI score
Exploits0References6Affected Software1
Drupal
Drupal
added 2020/01/15 12:0 a.m.5 views

Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in. The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu. This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the...

5.7AI score
Exploits0References5
Drupal
Drupal
added 2019/12/18 12:0 a.m.130 views

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2019-012

The Drupal project uses the third-party library ArchiveTar, which has released a security improvement that is needed to protect some Drupal configurations. Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. The lates...

7AI score
Exploits0References18
Drupal
Drupal
added 2019/12/18 12:0 a.m.26 views

Drupal core - Moderately critical - Denial of Service - SA-CORE-2019-009

A visit to install.php can cause cached data to become corrupted. This could cause a site to be impaired until caches are rebuilt...

6.7AI score
Exploits0References14
Drupal
Drupal
added 2019/12/18 12:0 a.m.24 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2019-011

The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations...

6.8AI score
Exploits0References14
Drupal
Drupal
added 2019/12/18 12:0 a.m.31 views

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

Drupal 8 core's filesaveupload function does not strip the leading and trailing dot '.' from filenames, like Drupal 7 did. Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to...

6.9AI score
Exploits0References19
Drupal
Drupal
added 2019/12/11 12:0 a.m.14 views

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095

The Permissions by Term module extends Drupal by functionality for restricting access to single nodes via taxonomy terms. The module doesn't sufficiently restrict access to node previews, when the Search API module is used to display nodes in search result lists...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2019/12/11 12:0 a.m.10 views

Modal - Moderately critical - Access bypass - SA-CONTRIB-2019-094

This project enables administrators to create modal dialogs. The routes used by the module lacked proper permissions, allowing untrusted users to access, create and modify modal configurations...

6.8AI score
Exploits0References6
Drupal
Drupal
added 2019/12/11 12:0 a.m.18 views

Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096

This module enables you to create forms to collect information from users and report, analyze and distribute it by email. The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can...

6.2AI score
Exploits0References10
Drupal
Drupal
added 2019/12/11 12:0 a.m.11 views

Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092

The Smart Trim module allows site builders additional control with text summary fields. The module doesn't sufficiently filter text when certain options are selected. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2019/12/11 12:0 a.m.9 views

Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093

This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. if certain administrative routes should be access controlled, defaulting to...

5.7AI score
Exploits0References9
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

Bypass Form Validations - Critical - Unsupported - SA-CONTRIB-2019-079

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

Commerce Ingenico - Critical - Unsupported - SA-CONTRIB-2019-089

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

Nodequeue - Critical - Cross Site Scripting - SA-CONTRIB-2019-085

Updated November 22. This module enables you to collect nodes in an arbitrarily ordered list. Nodequeue's JavaScript can be leveraged to insert HTML from attacker-controlled JSON data. This is exploitable if user-submitted "Filtered HTML" content is displayed on a page where nodequeue.js is loade...

6.3AI score
Exploits0References9
Drupal
Drupal
added 2019/11/13 12:0 a.m.16 views

Frequently Asked Questions - Critical - Unsupported - SA-CONTRIB-2019-077

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.18 views

Nexus Theme - Critical - Unsupported - SA-CONTRIB-2019-078

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.9 views

Webform Report - Critical - Unsupported - SA-CONTRIB-2019-086

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.14 views

Administration Views - Moderately critical - Access bypass - SA-CONTRIB-2019-076

This module replaces administrative overview/listing pages with actual views for superior usability. The module doesn't sufficiently check user access when using the "Menu system path" access handler on a Views displays other than "System". Update: This project had been unsupported due to this...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

Webform Multiple File Upload - Critical - Unsupported - SA-CONTRIB-2019-090

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.15 views

SendinBlue - Critical - Access bypass - SA-CONTRIB-2019-088

Update: This module had an access bypass vulnerability which has now been addressed by the module’s current maintainers. Original description The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you...

7.1AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.17 views

Feeds JSONPath Parser - Critical - Unsupported - SA-CONTRIB-2019-083

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported Update: Feeds Jsonpat...

6.9AI score
Exploits0References6
Drupal
Drupal
added 2019/11/13 12:0 a.m.5 views

Taxonomy CSV import/export - Moderately critical - Information disclosure - SA-CONTRIB-2019-084

Updated January 9th, 2020 This module enables you to import taxonomy terms from different sources, including a text area, a file upload or a file present in the web server. The module doesn't sufficiently validate user input when providing a local filename to import. This vulnerability is mitigat...

5.6AI score
Exploits0References5
Drupal
Drupal
added 2019/11/13 12:0 a.m.11 views

Field Slideshow - Less critical - Cross site scripting - SA-CONTRIB-2019-082

This module enables you to output a field as a slideshow. The module doesn't sufficiently filter strings added to the fields leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have the ability to create content which is output as...

6AI score
Exploits0References8
Drupal
Drupal
added 2019/11/13 12:0 a.m.17 views

Floating Button Menu - Critical - Unsupported - SA-CONTRIB-2019-091

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.12 views

Bugsnag - Critical - Unsupported - SA-CONTRIB-2019-081

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/13 12:0 a.m.14 views

Noggin - Critical - Unsupported - SA-CONTRIB-2019-080

Update - 2021-01-22 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/noggin/releases/7.x-1.2 to resolve the issue. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the...

6.6AI score
Exploits0References3
Drupal
Drupal
added 2019/11/13 12:0 a.m.11 views

Make Meeting Scheduler - Critical - Unsupported - SA-CONTRIB-2019-087

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2019/11/06 12:0 a.m.16 views

Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075

Open Social is a Drupal distribution for online communities. The included socialmagiclogin module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge...

6.4AI score
Exploits0References8
Drupal
Drupal
added 2019/10/16 12:0 a.m.14 views

Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed. The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat even...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2019/10/09 12:0 a.m.3 views

MaxLength - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-073

This module enables you to set a maximum length allowed on text fields and indicate how many characters are left. The module doesn't sufficiently filter strings leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact the malicious script will not be...

5.5AI score
Exploits0References7
Drupal
Drupal
added 2019/10/02 12:0 a.m.14 views

Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server. The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which m...

6.6AI score
Exploits0References8
Drupal
Drupal
added 2019/10/02 12:0 a.m.13 views

Simple AMP (Accelerated Mobile Pages) - Moderately critical - Access bypass - SA-CONTRIB-2019-071

This module allows display of a site's content in AMP format. The module doesn't sufficiently check access on unpublished or restricted content...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2019/10/02 12:0 a.m.13 views

Ubercart - Moderately critical - Cross site scripting - SA-CONTRIB-2019-070

The Ubercart module provides a shopping cart and e-commerce features for Drupal. The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a rol...

5.9AI score
Exploits0References6
Drupal
Drupal
added 2019/09/25 12:0 a.m.13 views

Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069

This module provides a new UI experience for node editing - Gutenberg editor. The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2019/09/25 12:0 a.m.17 views

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes. The vulnerability is mitigated by the fact that the submodule Permissions by...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2019/09/18 12:0 a.m.13 views

TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067

This module allows you to attach tabular data to an entity. There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities. This vulnerability is mitigated by the fact that an...

6.4AI score
Exploits0References9
Drupal
Drupal
added 2019/09/18 12:0 a.m.20 views

Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066

This module enables you to have a separate permission only for creating users. The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required". When this option is chosen, the module overrides the setting, and makes it...

6.5AI score
Exploits0References8
Drupal
Drupal
added 2019/08/21 12:0 a.m.9 views

Imagecache External - Critical - Insecure session token management - SA-CONTRIB-2019-065

This module that allows you to store external images on your server and apply your own Image Styles. The module exposes cookies to external sites when making external image requests. This vulnerability is mitigated by using the whitelisted host feature to restrict external image requests from...

5.5AI score
Exploits0References7Affected Software1
Drupal
Drupal
added 2019/08/14 12:0 a.m.12 views

scroll to top - Moderately critical - Cross site scripting - SA-CONTRIB-2019-061

The Scroll To Top module enables you to have an animated scroll to top link in the bottom of the node. The module does not sufficiently filter configuration text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with...

5.9AI score
Exploits0References8
Drupal
Drupal
added 2019/08/14 12:0 a.m.14 views

Forms Steps - Critical - Access bypass - SA-CONTRIB-2019-064

Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms. The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of i...

6.7AI score
Exploits0References8
Drupal
Drupal
added 2019/08/14 12:0 a.m.5 views

External Links Filter - Moderately critical - Open Redirect Vulnerability - SA-CONTRIB-2019-063

The External Link Filter module provides an input filter that replaces external links by a local link that redirects to the target URL. The module did not have protection for the Redirect URL to go where content authors intended...

5.6AI score
Exploits0References8
Drupal
Drupal
added 2019/08/14 12:0 a.m.16 views

Super Login - Moderately critical - Cross site scripting - SA-CONTRIB-2019-062

This module improves the Drupal login page with the new features and layout. The module doesn't sufficiently filter input text in the administration pages text configuration inputs. For example, the login text field. The vulnerability is mitigated by the fact it can only be exploited by a user wi...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2019/07/24 12:0 a.m.15 views

Metatag - Moderately critical - Information disclosure - SA-CONTRIB-2019-058

This module enables you to customize meta tags to help with a site's search engine ranking and improve the display of page summaries when shared on social networks. The module doesn't sufficiently check for a site being in maintenance mode. This vulnerability is mitigated by the fact that the sit...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2019/07/24 12:0 a.m.20 views

Facebook Messenger Customer Chat Plugin - Critical - Access bypass - SA-CONTRIB-2019-059

The Facebook Messenger Customer Chat Plugin module enables you to add the Facebook Messenger Customer Chat Plugin to your Drupal site. The module doesn't require user permissions on the admin page...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2019/07/24 12:0 a.m.13 views

Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060

This module provides an autocomplete widget for text fields that suggests all existing previously entered values for that field. The module doesn't sufficiently check for proper access permission before returning autocomplete results. This vulnerability is mitigated by the fact that an attacker...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2019/07/17 12:0 a.m.53 views

Drupal core - Critical - Access bypass - SA-CORE-2019-008

In Drupal 8.7.4, when the experimental Workspaces module is enabled, an access bypass condition is created. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4. Drupal 8.7.3 and earlier, Drupal 8.6.x and earlier, and Drupal 7.x are not...

9.8CVSS2.9AI score0.01861EPSS
Exploits0References10
Drupal
Drupal
added 2019/07/17 12:0 a.m.15 views

Meta tags quick - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-057

Metatags quick is a module that manages meta tags tags that appear in HTML's head section as Drupal 7 fields. Administration page of metatags quick does not sanitize the output of blocks that appear on the same page. This allows an attacker to inject malicious JavaScript in block markup. This...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2019/07/17 12:0 a.m.20 views

ImageCache Actions - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-056

The imagecache actions module defines a number of additional image effects that can be used to create image styles. The "Image styles admin" sub module provides additional functionality to duplicate, export and import image styles. The module uses unserialize to import image styles into another...

6.7AI score
Exploits0References8
Drupal
Drupal
added 2019/07/10 12:0 a.m.9 views

Custom Permissions - Critical - Access bypass - SA-CONTRIB-2019-055

This module enables you to add and manage additional custom permissions through the administration UI. The module doesn't sufficiently check for the proper access permissions to this page. This vulnerability is mitigated by the fact that an attacker must know the route of the Custom Permissions...

6.6AI score
Exploits0References6
Total number of security vulnerabilities1940