Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
•added 2019/01/23 12:0 a.m.•7 views

Image Annotator [Annotorious] - Critical - Unsupported - SA-CONTRIB-2019-006

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
•added 2019/01/23 12:0 a.m.•8 views

Expand collapse formatter - Critical - Unsupported - SA-CONTRIB-2019-011

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
•added 2019/01/23 12:0 a.m.•7 views

Nodeaccess - Critical - Unsupported - SA-CONTRIB-2019-009

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
•added 2019/01/23 12:0 a.m.•17 views

Preview Link - Moderately critical - Access bypass - SA-CONTRIB-2019-004

The Preview Link module enables you to generate preview links so anonymous users can access unpublished revisions of content. The last release of the module introduced an access bypass allowing users to present invalid tokens but still access unpublished content...

6.7AI score
Exploits0References5
Drupal
Drupal
•added 2019/01/23 12:0 a.m.•7 views

Webform Table Element - Critical - Unsupported - SA-CONTRIB-2019-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...

7.1AI score
Exploits0References2
Drupal
Drupal
•added 2019/01/23 12:0 a.m.•17 views

Anti-Spam by CleanTalk - Critical - Cross site scripting and SQL Injection - SA-CONTRIB-2019-010

Anti-spam module by CleanTalk to protect your Drupal sites from spambot registration and spam comments publications thru comment and contact forms. This module does not sufficiently filter submitted content in certain circumstances...

6.8AI score
Exploits0References7
Drupal
Drupal
•added 2019/01/16 12:0 a.m.•88 views

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2019-002

A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code core, contrib, and custom may be performing file operations on insufficiently validated user input, thereby being exposed to this...

9.8CVSS2.7AI score0.33228EPSS
Exploits0References19
Drupal
Drupal
•added 2019/01/16 12:0 a.m.•81 views

Drupal core - Critical - Third Party Libraries - SA-CORE-2019-001

Drupal core uses the third-party PEAR ArchiveTar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details...

8.8CVSS1.7AI score0.19207EPSS
Exploits5References13
Drupal
Drupal
•added 2019/01/09 12:0 a.m.•11 views

Provision - Moderately critical - Access bypass - SA-CONTRIB-2019-002

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Provision module is a core piece of the Aegir platform. This module doesn't...

6.7AI score
Exploits0References10
Drupal
Drupal
•added 2019/01/09 12:0 a.m.•15 views

Phone Field - Critical - SQL Injection - SA-CONTRIB-2019-001

This module provides a phone field for Drupal 7 that supports the HTML5 tel:-schema. In an API function that is not used by the module, the name for the phone field is not sufficiently sanitised when using it in database queries. This vulnerability is mitigated by the fact that it affects an unus...

6.7AI score
Exploits0References5
Drupal
Drupal
•added 2019/01/09 12:0 a.m.•22 views

Aegir HTTPS - Moderately critical - Access bypass - SA-CONTRIB-2019-003

Aegir is a Web hosting control panel program that provides a Drupal-based graphical interface designed to simplify deploying, managing and upgrading an entire network of Drupal, Wordpress and CiviCRM Web sites. The Hosting HTTPS module is a commonly used piece of the Aegir platform. This module...

6.6AI score
Exploits0References10
Drupal
Drupal
•added 2018/12/19 12:0 a.m.•5 views

JSON:API - Moderately critical - Access bypass - SA-CONTRIB-2018-081

This module provides a JSON:API specification-compliant HTTP API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently check access when responding to certain filtered collection requests, thereby causing an access bypass vulnerability. This mea...

7.2AI score
Exploits0References14
Drupal
Drupal
•added 2018/12/19 12:0 a.m.•15 views

E-Sign - Moderately critical - Cross site scripting - SA-CONTRIB-2018-080

This module allows for integration of Signature Pad, an electronic-signing script, into Drupal for both nodes content, the Field API FAPI, and Webforms. The module doesn't sufficiently filter user input when displaying a signature. The vulnerability is mitigated by the fact that an attacker must...

6.4AI score
Exploits0References6
Drupal
Drupal
•added 2018/12/05 12:0 a.m.•14 views

Password Policy - Less critical - Denial of Service - SA-CONTRIB-2018-077

The Password Policy module makes it possible to set constraints on user passwords which disallow certain passwords. The "digit placement" constraint is vulnerable to Denial of Service attacks if an attacker submits specially crafted passwords which can cause a site to become unresponsive. This...

6.4AI score
Exploits0References5
Drupal
Drupal
•added 2018/12/05 12:0 a.m.•10 views

Responsive Menus - Moderately critical - Cross site scripting - SA-CONTRIB-2018-079

This module enables you to collapse your sites main menu on mobile, and show a menu toggle button. The module doesn't sufficiently sanitize configuration settings provided by users which leads to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacke...

5.9AI score
Exploits0References5
Drupal
Drupal
•added 2018/12/05 12:0 a.m.•12 views

Salesforce Suite - Moderately critical - Access bypass - SA-CONTRIB-2018-078

This module enables Drupal to synchronize entities with Salesforce records. The module includes a page that does not sufficiently protect access rights, resulting in potential information disclosure. This vulnerability is mitigated by the fact that only Drupal entity title and IDs, and Salesforce...

6.1AI score
Exploits0References6
Drupal
Drupal
•added 2018/11/28 12:0 a.m.•21 views

Bootstrap - Moderately critical - Cross site scripting - SA-CONTRIB-2018-074

This base theme bridges the gap between Drupal and the Bootstrap Framework. The theme doesn't sufficiently filter valid targets under the scenario of opening modals, popovers, and tooltips. This vulnerability is mitigated by the fact that an attacker must already have the ability to either:...

5.9AI score
Exploits0References12
Drupal
Drupal
•added 2018/11/28 12:0 a.m.•21 views

GatherContent - Moderately critical - Access bypass - SA-CONTRIB-2018-075

This module enables you to import and export data from the GatherContent service. The module didn't properly protect its administrative paths...

6.7AI score
Exploits0References7
Drupal
Drupal
•added 2018/11/28 12:0 a.m.•17 views

Date Reminder - Moderately critical - Access bypass - SA-CONTRIB-2018-076

This module allows registered users to request email reminders to be sent at a specified time before an event. The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access. This can be mitigated with configuring...

6.5AI score
Exploits0References5
Drupal
Drupal
•added 2018/10/31 12:0 a.m.•8 views

Paragraphs - Moderately critical - Access Bypass - SA-CONTRIB-2018-073

The Paragraphs module allows Drupal Site Builders to make content organization cleaner so that you can give more editing power to end-users. The module doesn't sufficiently check access to create new paragraph entities which can cause access bypass issues when used in combination with other...

7.1AI score
Exploits0References9
Drupal
Drupal
•added 2018/10/31 12:0 a.m.•19 views

Decoupled Router - Critical - Access bypass - SA-CONTRIB-2018-071

This module enables you to resolve the provided Drupal path in order to find the canonical path and information about the resolved entity. This information includes entity type ID, entity ID, entity UUID and entity label. The module doesn't sufficiently check access before displaying entity label...

6.4AI score
Exploits0References6
Drupal
Drupal
•added 2018/10/31 12:0 a.m.•17 views

Session Limit - Critical - Insecure Session Management - SA-CONTRIB-2018-072

The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have. This is typically set to one so that you can only be logged in once with the same user account. In one configuration of the module, when a user logs in with anoth...

6AI score
Exploits0References7
Drupal
Drupal
•added 2018/10/17 12:0 a.m.•6 views

Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't sufficiently sanitized some variables for shell arguments when sending email, which could lead to arbitrary remote code execution. This issue is related to the Drupal Core...

8.1AI score
Exploits0References6
Drupal
Drupal
•added 2018/10/17 12:0 a.m.•564 views

Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006

Content moderation - Moderately critical - Access bypass - Drupal 8 In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass. In order to fix this issue, the following changes have been made to content moderation which may have...

8.4AI score
Exploits0References31
Drupal
Drupal
•added 2018/10/17 12:0 a.m.•22 views

Workbench Moderation - Moderately critical - Access bypass - SA-CONTRIB-2018-067

The Workbench Moderation module adds arbitrary moderation states to Drupal core's "unpublished" and "published" node states, and affects the behavior of node revisions when nodes are published. In some conditions, content moderation fails to check a users access to use certain transitions, leadin...

6.7AI score
Exploits0References12
Drupal
Drupal
•added 2018/10/17 12:0 a.m.•10 views

HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069

The HTML Mail module lets you theme your messages the same way you theme the rest of your website. When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution. This issue is related to the Drupal Core release SA-CORE-2018-006...

7.3AI score
Exploits0References8
Drupal
Drupal
•added 2018/10/17 12:0 a.m.•25 views

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-070

This Search Autocomplete module enables you to autocomplete textfield using data from your website nodes, comments, etc... The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting XSS vulnerability. This vulnerability can be exploit...

6.1CVSS5.9AI score0.00793EPSS
Exploits0References6
Drupal
Drupal
•added 2018/10/10 12:0 a.m.•15 views

NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066

NVP field module allows you to create a field type of name/value pairs, with custom titles and easily editable rendering with customizable HTML/text surrounding the pairs. The module doesn't sufficiently handle sanitization of its field formatter's output. This vulnerability is mitigated by the...

6.4AI score
Exploits0References5
Drupal
Drupal
•added 2018/10/10 12:0 a.m.•4 views

Lightbox2 - Critical - Cross Site Scripting - SA-CONTRIB-2018-064

The Lightbox2 module enables you to overlay images on the current page. The module did not sanitize some inputs when used in combination with a custom view leading to potential Cross Site Scripting XSS...

5.4AI score
Exploits0References7
Drupal
Drupal
•added 2018/10/10 12:0 a.m.•17 views

Search API Solr - Moderately critical - Access bypass - SA-CONTRIB-2018-065

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently take the searched fulltext fields into account when creating a search excerpt. This can, in specific cases, lead to confidential data being leak...

6.8AI score
Exploits0References7
Drupal
Drupal
•added 2018/10/03 12:0 a.m.•19 views

Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063

This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. It also doesn't sufficiently sanitize...

7.1AI score
Exploits0References7
Drupal
Drupal
•added 2018/09/26 12:0 a.m.•5 views

Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061

Taxonomy File Tree allows site managers to create file trees. For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file. This vulnerability only affects sites that use private files...

5.3AI score
Exploits0References7
Drupal
Drupal
•added 2018/09/26 12:0 a.m.•17 views

Commerce Klarna Checkout - Moderately critical - Access bypass - SA-CONTRIB-2018-062

The Commerce Klarna Checkout module enables you to accept payments from the Klarna Checkout payment provider The module doesn't sufficiently validate the payment callback made by Klarna. An attacker could bypass the payment step...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2018/09/19 12:0 a.m.•16 views

Renderkit - Moderately critical - Access bypass - SA-CONTRIB-2018-060

This module, typically in combination with cfr:cfrplugin, allows to compose behaviors from granular components. One of such behaviors is to display a list of related entities, for a given source entity and a given entity relation e.g. an entity reference field. The components that display related...

6.4AI score
Exploits0References5
Drupal
Drupal
•added 2018/09/05 12:0 a.m.•14 views

Fraction - Less critical - XSS vulnerability - SA-CONTRIB-2018-059

This module enables you to create fields for storing decimal values as two integers numerator and denominator for maximum precision. The module doesn't sufficiently filter XSS strings out of field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the abili...

5.9AI score
Exploits0References7
Drupal
Drupal
•added 2018/08/29 12:0 a.m.•21 views

Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058

This module enables you to use the Bing Autosuggest API. The module doesn't sufficiently sanitize a value used to populate an API request...

6.6AI score
Exploits0References5
Drupal
Drupal
•added 2018/08/29 12:0 a.m.•9 views

Commerce Core - Moderately critical - Access bypass - SA-CONTRIB-2018-057

This module enables you to build eCommerce websites and applications with Drupal. The module doesn't sufficiently check access for some of its entity types...

6.9AI score
Exploits0References6
Drupal
Drupal
•added 2018/08/15 12:0 a.m.•17 views

File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056

This module enables you to automatically sort and rename your uploaded files using token based replacement patterns to maintain a nice clean filesystem. The module doesn't sufficiently sanitize the path while a new file is uploading, allowing a remote attacker to execute arbitrary PHP code. This...

7.3AI score
Exploits0References7
Drupal
Drupal
•added 2018/08/08 12:0 a.m.•16 views

PHP Configuration - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-055

This module enables you to add or overwrite PHP configuration on a drupal website. The module doesn't sufficiently allow access to set these configurations, leading to arbitrary PHP configuration execution by an attacker. This vulnerability is mitigated by the fact that an attacker must have a ro...

6.8AI score
Exploits0References7
Drupal
Drupal
•added 2018/08/01 12:0 a.m.•550 views

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does...

1.9AI score0.58061EPSS
Exploits0References9Affected Software1
Drupal
Drupal
•added 2018/08/01 12:0 a.m.•583 views

Drupal Core - 3rd-party libraries -SA-CORE-2018-005

The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does...

6.5CVSS6.6AI score0.58061EPSS
Exploits0References9
Drupal
Drupal
•added 2018/07/25 12:0 a.m.•9 views

Select (or other) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-054

This module enables users to select 'other' on certain form elements and a textfield appears for the user to provide a custom value. The module doesn't sufficiently escape values of a text field the under the scenario when "Select or other" formatter is used. This vulnerability is mitigated by th...

6.5AI score
Exploits0References7
Drupal
Drupal
•added 2018/07/18 12:0 a.m.•4 views

Taxonomy Entity Queue - Critical - SQL Injection - SA-CONTRIB-2018-052

This module enables you to create an entityqueue based on a taxonomy. The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries...

5.7AI score
Exploits0References6
Drupal
Drupal
•added 2018/07/18 12:0 a.m.•8 views

XML sitemap - Moderately critical - Information Disclosure - SA-CONTRIB-2018-053

This module enables you to generate XML sitemaps and it helps search engines to more intelligently crawl a website and keep their results up to date. The module doesn't sufficiently handle access rights under the scenario of updating contents from cron execution...

7AI score
Exploits0References7
Drupal
Drupal
•added 2018/07/11 12:0 a.m.•19 views

Beale Street - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-048

This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is not exploitable...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2018/07/11 12:0 a.m.•17 views

NewsFlash - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-049

This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site...

6.7AI score
Exploits0References6
Drupal
Drupal
•added 2018/07/11 12:0 a.m.•14 views

litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

This theme features 3 color styles, 12 fully collapsible regions, suckerfish menus, fluid or fixed widths, easy configuration, and more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and...

6.7AI score
Exploits0References6
Drupal
Drupal
•added 2018/07/11 12:0 a.m.•30 views

EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-047

This module addresses the General Data Protection Regulation GDPR that came into effect 25th May 2018, and the EU Directive on Privacy and Electronic Communications from 2012. It provides a banner where you can gather consent from the user to store cookies on their computer and handle their...

6.6AI score
Exploits0References7
Drupal
Drupal
•added 2018/07/11 12:0 a.m.•16 views

Tapestry - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-051

This theme provides Drupal users with many advanced features including 20 Different Color Styles, 30 User Regions, Custom Block Theme Templates, Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple Configuration, Custom Typography... The theme doesn't sufficiently sanitize user...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2018/07/11 12:0 a.m.•11 views

Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046

Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen. The module doesn't sufficiently sanitize the output of the status names. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.5AI score
Exploits0References5
Total number of security vulnerabilities1940