1940 matches found
Advanced Forum - Critical - Cross Site Scripting - SA-CONTRIB-2019-054
Advanced Forum builds on and enhances Drupal's core forum module. When used in combination with other Drupal contributed modules, many of which are automatically used by Advanced Forum, you can achieve much of what stand alone software provides. The module doesn't sufficiently sanitise user input...
Easy Breadcrumb - Critical - Cross Site Scripting - SA-CONTRIB-2019-053
This module enables you to use the current URL path alias and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website. The module doesn't sufficiently sanitise user input in certain circumstances. This...
Universally Unique IDentifier - Moderately critical - Access bypass - SA-CONTRIB-2019-052
This module provides an API for adding universally unique identifiers UUID to Drupal objects, most notably entities. The module has a privilege escalation vulnerability when it's used in combination with Services+REST server. This vulnerability is mitigated by the fact that an attacker must...
TableField - Moderately critical - Access bypass and Cross Site Scripting - SA-CONTRIB-2019-051
This module allows you to attach tabular data to an entity. Access bypass There's no access check for users with an "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities. This vulnerability is mitigated by the fact that an attacker must ha...
Menu Item Extras - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-050
This module enables you to handle fields for Custom Menu Links. The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...
Workflow - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-049
The Workflow module enables you to create arbitrary Workflows, and assign them to Entities. The module doesn't sufficiently escape HTML in the field settings leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048
This module enables you to use special routes for user registration with special roles and custom field sets defined for the role. The module doesn't sufficiently check which user roles can be registered under the scenario when the user tries to register the user with the administrator role. This...
Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2019-047
In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not...
Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046
In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants. This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are...
Drupal core - Moderately critical - Third-party libraries - SA-CORE-2019-007
This security release fixes third-party dependencies included in or required by Drupal core. As described in TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor: In order to intercept file invocations like fileexists or stat on compromised Phar archives the base name has ...
Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
This security release fixes third-party dependencies included in or required by Drupal core. CVE-2019-10909: Escape validation messages in the PHP templating engine. From that advisory: Validation messages were not escaped when using the form theme of the PHP templating engine which, when...
Stage File Proxy - Less critical - Denial of Service - SA-CONTRIB-2019-044
Stage File Proxy is a general solution for getting production files on a development server on demand. The module doesn't sufficiently validate requested urls, allowing an attacker to send repeated requests for files that do not exist which could exhaust resources on the server where Stage File...
TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045
This module allows you to attach tabular data to an entity. The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection. This vulnerability is mitigated b...
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-006
The jQuery project released version 3.4.0, and as part of that, disclosed a security vulnerability that affects all prior versions. As described in their release notes: jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extendtrue, , .... If an unsanitized source object...
Services - Less critical - Access bypass - SA-CONTRIB-2019-043
This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The Services module has an access bypass vulnerability in its "attachfile" resource that allows users who have access to create or update nodes that include file fields to...
Module Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2019-042
This module enables you to filter the list of modules on the admin modules page, and organizes packages into vertical tabs. The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that the...
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004
Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting XSS vulnerability...
RESTful - Critical - Remote code execution - SA-CONTRIB-2019-041
This resolves issues described in SA-CORE-2019-003 for this module...
Back To Top - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-040
This module enables you to add a button that hovers in the bottom of your screen and allows users to smoothly scroll up the page using jQuery. The module doesn't sufficiently sanitize the code that gets printed on pages leading to a Cross Site Scripting XSS issue. This vulnerability is mitigated ...
AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2019-039
This module enables you to add social media share buttons on your website to its content and pages. The module doesn't sufficiently mark its administration permission restricted, allowing cross site scripting vulnerabilities to users who have access to its admin settings. This vulnerability is...
Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037
This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats. The module doesn't sufficiently sanitize some user input on administrative forms...
Views (for Drupal 7) - Less critical - Cross site scripting - SA-CONTRIB-2019-036
This module enables you to create customized lists of data. The module doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that a view must display a field with the format "Full data serialized" and an...
Views (for Drupal 7) - Moderately critical - Information disclosure - SA-CONTRIB-2019-035
This module enables you to create customized lists of data. The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances. This vulnerability is mitigated by the fact that a view must have an...
Views (for Drupal 7) - Moderately critical - Information Disclosure - SA-CONTRIB-2019-034
This module enables you to create customized lists of data. The module doesn't sufficiently protect against argument definitions failing. This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator...
Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038
Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form. Version 7.x of Simple hierarchical select doesn't sufficiently...
Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-032
The Ubercart module provides a shopping cart and e-commerce features for Drupal. The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL...
EU Cookie Compliance (GDPR Compliance) - Critical - Cross site scripting - SA-CONTRIB-2019-033
This module addresses the General Data Protection Regulation GDPR that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user when the website stores cookies on their computer or...
Drupal voor Gemeenten - Moderately critical - Access Bypass - SA-CONTRIB-2019-031
The DvG distrubition contains the feature module dvgdomains to support multiple domains. When the dvgdomains feature module is enabled, anonymous users are able to access some administration pages and change the settings exposed on those pages. This issue can be mitigated by disabling the...
Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027
This module enables you to configure breadcrumbs for any Drupal page. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...
Context - Moderately critical - Cross site scripting - SA-CONTRIB-2019-028
This module enables you to manage contextual conditions and reactions for different portions of your site. The module doesn't sufficiently sanitize user output when displayed leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must hav...
Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2019-030
This module enables you to create facet-filters for results of a search query and exposes them as blocks The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by two factors. First, an attacker must have...
Rabbit Hole - Moderately critical - Access bypass - SA-CONTRIB-2019-029
The Rabbit Hole module allows administrators to control what should happen when a regular user tries to view an entity at its own page; for example, it may deliver a 403 Access Denied or 404 Page Not Found response, or redirect the user to another path. The module doesn't respect the Rabbit Hole...
Services - Critical - SQL Injection - SA-CONTRIB-2019-026
This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize user input for entity index resources thus allowing SQL Injection attacks. This vulnerability is mitigated by the fact that the Drupal 7...
Font Awesome Icons - Critical - Remote Code Execution - SA-CONTRIB-2019-025
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Link - Critical - Remote Code Execution - SA-CONTRIB-2019-020
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2019-018
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Translation Management Tool - Critical - Remote Code Execution - SA-CONTRIB-2019-024
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003
Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services rest module enabled and allows GET, PAT...
JSON:API - Highly critical - Remote code execution - SA-CONTRIB-2019-019
This resolves issues described in SA-CORE-2019-003 for this module...
Video - Critical - Remote Code Execution - SA-CONTRIB-2019-022
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Metatag - Critical - Remote code execution - SA-CONTRIB-2019-021
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Paragraphs - Critical - Remote Code Execution - SA-CONTRIB-2019-023
This resolves issues described in SA-CORE-2019-003 for this module. Not all configurations are affected. See SA-CORE-2019-003 for details...
Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-016
This module enables you to allow login into the Drupal websites through an external provider over the OAuth 2.0 protocol. The module sets a Drupal variable used for redirection based on unsanitised user input, leading to an Open Redirect vulnerability. It also fails to sanitise user input which i...
Focal Point - Moderately critical - Cross site scripting - SA-CONTRIB-2019-015
This module enables a privileged user to specify the important part of an image for the purposes of cropping. The module doesn't sufficiently sanitize certain form element attributes when the focal point widget is displayed on a form. This vulnerability is mitigated by the fact that an attacker...
Entity Registration - Critical - Multiple Vulnerabilities - SA-CONTRIB-2019-017
This module enables you to take registrations for events, gathering information from registrants including email address and any other questions you wish to configure. In some cases, an anonymous user may view, edit, or delete other anonymous registrations by guessing the URL of that registration...
Acquia Connector - Moderately critical - Access bypass - SA-CONTRIB-2019-014
Acquia Connector facilitates sending certain telemetry data to Acquia for the purposes of analysis. The module automates the collection of site information to speed support communication and issue resolution. It is required for use with the Acquia Insight service. The module does not properly...
Public Download Count - Less critical - Open Redirect Vulnerability - SA-CONTRIB-2019-012
This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination. The module did not verify that the links provided to the...
Login Alert - Moderately critical - Access bypass - SA-CONTRIB-2019-013
This module provides a field on user profiles which allows users to get a notification when their account logs in to the site. The notification e-mail includes a link which will terminate all sessions for that user. This is useful in the case of unauthorised access to the account. The module...
Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007
Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels configuration. This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to edit...
Gridstack field - Critical - Unsupported - SA-CONTRIB-2019-008
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...