Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
•added 2019/06/26 12:0 a.m.•18 views

Advanced Forum - Critical - Cross Site Scripting - SA-CONTRIB-2019-054

Advanced Forum builds on and enhances Drupal's core forum module. When used in combination with other Drupal contributed modules, many of which are automatically used by Advanced Forum, you can achieve much of what stand alone software provides. The module doesn't sufficiently sanitise user input...

6.4AI score
Exploits0References5
Drupal
Drupal
•added 2019/06/19 12:0 a.m.•19 views

Easy Breadcrumb - Critical - Cross Site Scripting - SA-CONTRIB-2019-053

This module enables you to use the current URL path alias and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website. The module doesn't sufficiently sanitise user input in certain circumstances. This...

5.9AI score
Exploits0References8
Drupal
Drupal
•added 2019/05/29 12:0 a.m.•15 views

Universally Unique IDentifier - Moderately critical - Access bypass - SA-CONTRIB-2019-052

This module provides an API for adding universally unique identifiers UUID to Drupal objects, most notably entities. The module has a privilege escalation vulnerability when it's used in combination with Services+REST server. This vulnerability is mitigated by the fact that an attacker must...

6.8AI score
Exploits0References6
Drupal
Drupal
•added 2019/05/29 12:0 a.m.•17 views

TableField - Moderately critical - Access bypass and Cross Site Scripting - SA-CONTRIB-2019-051

This module allows you to attach tabular data to an entity. Access bypass There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities. This vulnerability is mitigated by the fact that an attacker must ha...

5.8AI score
Exploits0References8
Drupal
Drupal
•added 2019/05/22 12:0 a.m.•6 views

Menu Item Extras - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-050

This module enables you to handle fields for Custom Menu Links. The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...

5.6AI score
Exploits0References7
Drupal
Drupal
•added 2019/05/22 12:0 a.m.•22 views

Workflow - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-049

The Workflow module enables you to create arbitrary Workflows, and assign them to Entities. The module doesn't sufficiently escape HTML in the field settings leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6AI score
Exploits0References8
Drupal
Drupal
•added 2019/05/15 12:0 a.m.•15 views

Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048

This module enables you to use special routes for user registration with special roles and custom field sets defined for the role. The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role. This...

6.7AI score
Exploits0References5
Drupal
Drupal
•added 2019/05/15 12:0 a.m.•16 views

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047

In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2019/05/15 12:0 a.m.•16 views

Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046

In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants. This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are...

6.3AI score
Exploits0References4
Drupal
Drupal
•added 2019/05/08 12:0 a.m.•71 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007

This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor: In order to intercept file invocations like fileexists or stat on compromised Phar archives the base name has ...

9.8CVSS1.3AI score0.05586EPSS
Exploits0References13
Drupal
Drupal
•added 2019/04/17 12:0 a.m.•52 views

Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005

This security release fixes third-party dependencies included in or required by Drupal core. CVE-2019-10909: Escape validation messages in the PHP templating engine. From that advisory: Validation messages were not escaped when using the form theme of the PHP templating engine which, when...

9.8CVSS1.2AI score0.0595EPSS
Exploits1References15
Drupal
Drupal
•added 2019/04/17 12:0 a.m.•5 views

Stage File Proxy - Less critical - Denial of Service - SA-CONTRIB-2019-044

Stage File Proxy is a general solution for getting production files on a development server on demand. The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File...

5.6AI score
Exploits0References7
Drupal
Drupal
•added 2019/04/17 12:0 a.m.•18 views

TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045

This module allows you to attach tabular data to an entity. The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection. This vulnerability is mitigated b...

7AI score
Exploits0References6
Drupal
Drupal
•added 2019/04/17 12:0 a.m.•93 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006

The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes: jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extendtrue, , .... If an unsanitized source object...

6.1CVSS2.1AI score0.87218EPSS
Exploits4References17
Drupal
Drupal
•added 2019/04/03 12:0 a.m.•20 views

Services - Less critical - Access bypass - SA-CONTRIB-2019-043

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The Services module has an access bypass vulnerability in its "attachfile" resource that allows users who have access to create or update nodes that include file fields to...

6.4AI score
Exploits0References5
Drupal
Drupal
•added 2019/03/27 12:0 a.m.•16 views

Module Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2019-042

This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs. The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that the...

5.8AI score
Exploits0References5
Drupal
Drupal
•added 2019/03/20 12:0 a.m.•106 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004

Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting XSS vulnerability...

5.4CVSS1.9AI score0.12408EPSS
Exploits0References11
Drupal
Drupal
•added 2019/03/20 12:0 a.m.•14 views

RESTful - Critical - Remote code execution - SA-CONTRIB-2019-041

This resolves issues described in SA-CORE-2019-003 for this module...

6.7AI score
Exploits0References4
Drupal
Drupal
•added 2019/03/20 12:0 a.m.•17 views

Back To Top - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-040

This module enables you to add a button that hovers in the bottom of your screen and allows users to smoothly scroll up the page using jQuery. The module doesn't sufficiently sanitize the code that gets printed on pages leading to a Cross Site Scripting XSS issue. This vulnerability is mitigated ...

6AI score
Exploits0References4
Drupal
Drupal
•added 2019/03/20 12:0 a.m.•17 views

AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039

This module enables you to add social media share buttons on your website to its content and pages. The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings. This vulnerability is...

6.1AI score
Exploits0References5
Drupal
Drupal
•added 2019/03/13 12:0 a.m.•16 views

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037

This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats. The module doesn't sufficiently sanitize some user input on administrative forms...

6.7AI score
Exploits0References7
Drupal
Drupal
•added 2019/03/13 12:0 a.m.•15 views

Views (for Drupal 7) - Less critical - Cross site scripting - SA-CONTRIB-2019-036

This module enables you to create customized lists of data. The module doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that a view must display a field with the format "Full data serialized" and an...

6AI score
Exploits0References12
Drupal
Drupal
•added 2019/03/13 12:0 a.m.•14 views

Views (for Drupal 7) - Moderately critical - Information disclosure - SA-CONTRIB-2019-035

This module enables you to create customized lists of data. The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances. This vulnerability is mitigated by the fact that a view must have an...

6.2AI score
Exploits0References14
Drupal
Drupal
•added 2019/03/13 12:0 a.m.•16 views

Views (for Drupal 7) - Moderately critical - Information Disclosure - SA-CONTRIB-2019-034

This module enables you to create customized lists of data. The module doesn't sufficiently protect against argument definitions failing. This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator...

7AI score
Exploits0References11
Drupal
Drupal
•added 2019/03/13 12:0 a.m.•9 views

Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038

Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form. Version 7.x of Simple hierarchical select doesn't sufficiently...

7AI score
Exploits0References4
Drupal
Drupal
•added 2019/03/06 12:0 a.m.•14 views

Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-032

The Ubercart module provides a shopping cart and e-commerce features for Drupal. The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL...

6.6AI score
Exploits0References5
Drupal
Drupal
•added 2019/03/06 12:0 a.m.•27 views

EU Cookie Compliance (GDPR Compliance) - Critical - Cross site scripting - SA-CONTRIB-2019-033

This module addresses the General Data Protection Regulation GDPR that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or...

6.2AI score
Exploits0References9
Drupal
Drupal
•added 2019/03/06 12:0 a.m.•15 views

Drupal voor Gemeenten - Moderately critical - Access Bypass - SA-CONTRIB-2019-031

The DvG distrubition contains the feature module dvgdomains to support multiple domains. When the dvgdomains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages. This issue can be mitigated by disabling the...

6.8AI score
Exploits0References4
Drupal
Drupal
•added 2019/02/27 12:0 a.m.•12 views

Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027

This module enables you to configure breadcrumbs for any Drupal page. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...

5.8AI score
Exploits0References6
Drupal
Drupal
•added 2019/02/27 12:0 a.m.•4 views

Context - Moderately critical - Cross site scripting - SA-CONTRIB-2019-028

This module enables you to manage contextual conditions and reactions for different portions of your site. The module doesn't sufficiently sanitize user output when displayed leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must hav...

5.4AI score
Exploits0References8
Drupal
Drupal
•added 2019/02/27 12:0 a.m.•16 views

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2019-030

This module enables you to create facet-filters for results of a search query and exposes them as blocks The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by two factors. First, an attacker must have...

5.8AI score
Exploits0References6
Drupal
Drupal
•added 2019/02/27 12:0 a.m.•10 views

Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029

The Rabbit Hole module allows administrators to control what should happen when a regular user tries to view an entity at its own page; for example, it may deliver a 403 Access Denied or 404 Page Not Found response, or redirect the user to another path. The module doesn't respect the Rabbit Hole...

6.9AI score
Exploits0References6
Drupal
Drupal
•added 2019/02/27 12:0 a.m.•11 views

Services - Critical - SQL Injection - SA-CONTRIB-2019-026

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks. This vulnerability is mitigated by the fact that the Drupal 7...

7.5AI score
Exploits0References4
Drupal
Drupal
•added 2019/02/20 12:0 a.m.•12 views

Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
•added 2019/02/20 12:0 a.m.•16 views

Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
•added 2019/02/20 12:0 a.m.•13 views

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2019-018

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
•added 2019/02/20 12:0 a.m.•13 views

Translation Management Tool - Critical - Remote Code Execution - SA-CONTRIB-2019-024

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
•added 2019/02/20 12:0 a.m.•164 views

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services rest module enabled and allows GET, PAT...

8.1CVSS1.3AI score0.91919EPSS
Exploits22References31
Drupal
Drupal
•added 2019/02/20 12:0 a.m.•6 views

JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019

This resolves issues described in SA-CORE-2019-003 for this module...

7.2AI score
Exploits0References2
Drupal
Drupal
•added 2019/02/20 12:0 a.m.•12 views

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
•added 2019/02/20 12:0 a.m.•18 views

Metatag - Critical - Remote code execution - SA-CONTRIB-2019-021

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
•added 2019/02/20 12:0 a.m.•8 views

Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

6.7AI score
Exploits0References3
Drupal
Drupal
•added 2019/02/13 12:0 a.m.•17 views

Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016

This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol. The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which i...

6.5AI score
Exploits0References4
Drupal
Drupal
•added 2019/02/13 12:0 a.m.•18 views

Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015

This module enables a privileged user to specify the important part of an image for the purposes of cropping. The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form. This vulnerability is mitigated by the fact that an attacker...

6.4AI score
Exploits0References6
Drupal
Drupal
•added 2019/02/13 12:0 a.m.•15 views

Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017

This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure. In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration...

6.4AI score
Exploits0References5
Drupal
Drupal
•added 2019/02/06 12:0 a.m.•15 views

Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014

Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service. The module does not properly...

6.3AI score
Exploits0References9
Drupal
Drupal
•added 2019/02/06 12:0 a.m.•15 views

Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012

This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination. The module did not verify that the links provided to the...

6.5AI score
Exploits0References6
Drupal
Drupal
•added 2019/02/06 12:0 a.m.•6 views

Login Alert - Moderately critical - Access bypass - SA-CONTRIB-2019-013

This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account. The module...

7AI score
Exploits0References6
Drupal
Drupal
•added 2019/01/23 12:0 a.m.•4 views

Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007

Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels configuration. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to edit...

5.6AI score
Exploits0References6
Drupal
Drupal
•added 2019/01/23 12:0 a.m.•5 views

Gridstack field - Critical - Unsupported - SA-CONTRIB-2019-008

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Total number of security vulnerabilities1940