Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029

The Rabbit Hole module allows administrators to control what should happen when a regular user tries to view an entity at its own page; for example, it may deliver a 403 Access Denied or 404 Page Not Found response, or redirect the user to another path. The module doesn't respect the Rabbit Hole...

Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2019-030

This module enables you to create facet-filters for results of a search query and exposes them as blocks The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by two factors. First, an attacker must have...

Services - Critical - SQL Injection - SA-CONTRIB-2019-026

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks. This vulnerability is mitigated by the fact that the Drupal 7...

Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027

This module enables you to configure breadcrumbs for any Drupal page. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2019-018

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

Translation Management Tool - Critical - Remote Code Execution - SA-CONTRIB-2019-024

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019

This resolves issues described in SA-CORE-2019-003 for this module...

Metatag - Critical - Remote code execution - SA-CONTRIB-2019-021

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services rest module enabled and allows GET, PAT...

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023

This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...

Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015

This module enables a privileged user to specify the important part of an image for the purposes of cropping. The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form. This vulnerability is mitigated by the fact that an attacker...

Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017

This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure. In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration...

Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016

This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol. The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which i...

Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012

This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination. The module did not verify that the links provided to the...

Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014

Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service. The module does not properly...

Login Alert - Moderately critical - Access bypass - SA-CONTRIB-2019-013

This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account. The module...

Nodeaccess - Critical - Unsupported - SA-CONTRIB-2019-009

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

Anti-Spam by CleanTalk - Critical - Cross site scripting and SQL Injection - SA-CONTRIB-2019-010

Anti-spam module by CleanTalk to protect your Drupal sites from spambot registration and spam comments publications thru comment and contact forms. This module does not sufficiently filter submitted content in certain circumstances...

Webform Table Element - Critical - Unsupported - SA-CONTRIB-2019-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004

The Preview Link module enables you to generate preview links so anonymous users can access unpublished revisions of content. The last release of the module introduced an access bypass allowing users to present invalid tokens but still access unpublished content...

Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007

Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels configuration. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to edit...

Expand collapse formatter - Critical - Unsupported - SA-CONTRIB-2019-011

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

Gridstack field - Critical - Unsupported - SA-CONTRIB-2019-008

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

Image Annotator [Annotorious] - Critical - Unsupported - SA-CONTRIB-2019-006

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing file operations on insufficiently validated user input, thereby being exposed to this...

Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001

Drupal core uses the third-party PEAR ArchiveTar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details...

Phone Field - Critical - SQL Injection - SA-CONTRIB-2019-001

This module provides a phone field for Drupal 7 that supports the HTML5 tel:-schema. In an API function that is not used by the module, the name for the phone field is not sufficiently sanitised when using it in database queries. This vulnerability is mitigated by the fact that it affects an unus...

Aegir HTTPS - Moderately critical - Access bypass - SA-CONTRIB-2019-003

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform. This module...

Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Provision module is a core piece of the Aegir platform. This module doesn't...

E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080

This module allows for integration of Signature Pad, an electronic-signing script, into Drupal for both nodes content, the Field API FAPI, and Webforms. The module doesn't sufficiently filter user input when displaying a signature. The vulnerability is mitigated by the fact that an attacker must...

JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081

This module provides a JSON:API specification-compliant HTTP API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently check access when responding to certain filtered collection requests, thereby causing an access bypass vulnerability. This mea...

Salesforce Suite - Moderately critical - Access bypass - SA-CONTRIB-2018-078

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure. This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce...

Password Policy - Less critical - Denial of Service - SA-CONTRIB-2018-077

The Password Policy module makes it possible to set constraints on user passwords which disallow certain passwords. The "digit placement" constraint is vulnerable to Denial of Service attacks if an attacker submits specially crafted passwords which can cause a site to become unresponsive. This...

Responsive Menus - Moderately critical - Cross site scripting - SA-CONTRIB-2018-079

This module enables you to collapse your sites main menu on mobile, and show a menu toggle button. The module doesn't sufficiently sanitize configuration settings provided by users which leads to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacke...

GatherContent - Moderately critical - Access bypass - SA-CONTRIB-2018-075

This module enables you to import and export data from the GatherContent service. The module didn't properly protect its administrative paths...

Bootstrap - Moderately critical - Cross site scripting - SA-CONTRIB-2018-074

This base theme bridges the gap between Drupal and the Bootstrap Framework. The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips. This vulnerability is mitigated by the fact that an attacker must already have the ability to either:...

Date Reminder - Moderately critical - Access bypass - SA-CONTRIB-2018-076

This module allows registered users to request email reminders to be sent at a specified time before an event. The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access. This can be mitigated with configuring...

Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073

The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users. The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other...

Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018-071

This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label. The module doesn't sufficiently check access before displaying entity label...

Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account. In one configuration of the module, when a user logs in with anoth...

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

Content moderation - Moderately critical - Access bypass - Drupal 8 In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass. In order to fix this issue, the following changes have been made to content moderation which may have...

Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published. In some conditions, content moderation fails to check a users access to use certain transitions, leadin...

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-070

This Search Autocomplete module enables you to autocomplete textfield using data from your website nodes, comments, etc... The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting XSS vulnerability. This vulnerability can be exploit...

HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069

The HTML Mail module lets you theme your messages the same way you theme the rest of your website. When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution. This issue is related to the Drupal Core release SA-CORE-2018-006...

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution. This issue is related to the Drupal Core...

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066

NVP field module allows you to create a field type of name/value pairs, with custom titles and easily editable rendering with customizable HTML/text surrounding the pairs. The module doesn't sufficiently handle sanitization of its field formatter's output. This vulnerability is mitigated by the...

Search API Solr - Moderately critical - Access bypass - SA-CONTRIB-2018-065

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leak...