JSON:API - Moderately critical - Access Bypass - SA-CONTRIB-2018-016

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability. This vulnerability is...

Exif - Critical - Access bypass - SA-CONTRIB-2018-017

This module enables you to retrieve image metadata and use them in fields or title. The module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to create...

JSON:API - Moderately critical - Multiple Vulnerabilities - SA-CONTRIB-2018-015

This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently associate cacheability metadata in certain situations thereby causing an access bypass vulnerability. This vulnerability is mitigated b...

CKEditor Upload Image - Critical - Access bypass - SA-CONTRIB-2018-014

This module enables you to drag and drop or paste images into CKEditor. The module does not sufficiently verify users permissions, which leads to anonymous users being able to upload files to the server...

Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability. This...

Dynamic Banner - Less critical - Cross site scripting - SA-CONTRIB-2018-011

This module enables a site to display different banners via blocks on different pages depending upon specific criteria. The module doesn't sufficiently filter output of banner data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010

This module enables the user to set custom permissions per path. The module doesn't perform sufficient checks on paths with dynamic arguments like "node/1" or "user/2", thereby allowing the site administrator to save custom permissions for paths that won't be protected. This could lead to an acce...

Entity Backup - Critical - Module Unsupported - SA-CONTRIB-2018-012

The main purpose of the Entity Backup module is to keep a backup of deleted Drupal core entities and perform recovery of them. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to...

VChess - Critical - Module Unsupported - SA-CONTRIB-2018-009

The Drupal VChess module allows users to play a chess game. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

FileField Sources - Moderately critical - Access Bypass - SA-CONTRIB-2018-007

This module enables you to upload files to fields via several sources. The module doesn't sufficiently handle access control under the scenario of the autocomplete path of reference sources...

Entity Reference Tab / Accordion Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-008

This module enables you to show referenced entities in tabs. The module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs. This vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content o...

Taxonomy Term Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-006

This module provides an expandable tree widget for the Taxonomy Term Reference field in Drupal 7. The module doesn't sufficiently sanitize the output of its own defined field formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission that allows t...

Sagepay - Critical - Access Bypass - SA-CONTRIB-2018-005

This module integrates the Sagepay payment service. Some of the URLs used while processing the payment are not sufficiently secured. This might allow attackers to resume a previously failed payment attempt or to view content that should only be shown after a succesful payment. This affects all...

Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004

This module enables you to create manual and scheduled backups of a site, and restore the site from backup. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. Sites using this module should review the permissions page...

Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003

This module enables you to display a Bible on your website. Users can associate notes with a Bible version. This module has a vulnerability that would allow an attacker to wipe out, update or read notes from other users with a carefully crafted title. A user must have the "Access Bible content"...

Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001

This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets. The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class. This vulnerability ...

Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002

The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page. This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view. Th...

ComScore direct tag - Less critical - Cross site scripting - SA-CONTRIB-2017-095

This module enables you to use the comScore Direct analytics system on a site. The module doesn't sufficiently sanitize one of the configuration variables prior to rendering it. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer comScore...

Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094

The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type. The security team is marking this module unsupported. There is a known security issue...

Directory based organisational layer - Critical - Unsupported - SA-CONTRIB-2017-096

This module adds a new organizational layer to Drupal, making it easy for managing large numbers of files and nodes. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in...

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings...

Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium. The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled. This vulnerability is...

Feedback Collect - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-090

This module enables you to add feedback forms and gather end user feedback, bug reports or any kind of suggestions. The module doesn't sufficiently filter output of its own fields under the scenario of creating or editing feedback-collect content types. This vulnerability is mitigated by the fact...

Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089

The Mailhandler module enables you to create nodes by email. The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code. The vulnerability applies to any active mailhandler mailbox, whether or no...

Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration. This...

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

This module enables you to set nodes to send feedbacks by personal/site wide contact forms. The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Us...

Domain Integration (Drupal 7) - Moderately critical - Access bypass - SA-CONTRIB-2017-084

This module enables you to integrate the Domain module with other popular Drupal modules. The Domain Integration Login Restrict sub-module enables you to restrict access to a domain based on the assigned domains on a user. The Domain Integration Login Restrict sub-module doesn't sufficiently chec...

bootstrap_carousel - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-088

This module provides a way to make carousels, based on bootstrap-carousel.js. The module doesn't sufficiently handle output of img HTML tag's alt property. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Carousel: Create new content" or any simil...

Services single sign-on client - Critical - Cross-site scripting - SA-CONTRIB-2017-087

This module allows users of a remote Services-enabled Drupal site to sign on to a second site with their credentials. The module does not sanitize information from the request before displaying it, thereby exposing a cross-site scripting vulnerability...

Cloud - Critical - CSRF - SA-CONTRIB-2017-086

This module enables sites to manage public clouds like Amazon EC2 and also private clouds like OpenStack. The module doesn't sufficiently protect the deletion of audit reports, thereby exposing a cross-site request vulnerability which can be exploited by unprivileged users to trick an administrat...

MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue. The modules have an access bypass vulnerability which allows untrusted users including anonymous users to view payments made by users within the system. No data can be modified,...

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082

The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms. The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, ...

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form. When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this...

Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out. The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting...

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

This module enables you to display any number of galleries based on images located in the files folder. The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited...

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces. The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fa...

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-078

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness. The module doesn't sufficiently let users know a setting page should not be given to untrusted users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

The netFORUM Authentication module implements external authentication for users against netFORUM. The module does not correctly use flood control making it susceptible to brute force attacks...

Page Access - Unsupported - SA-CONTRIB-2017-075

This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

This module enables you to obtain the status for a user's Skype account The module doesn't sufficiently sanitize the user input for their Skype ID. This vulnerability is mitigated by the fact that an attacker must have an account on the site and be allowed to edit/input their Skype ID. CVE...

Page Access - Unsupported - SA-CONTRIB-2017-75

This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently confirm a user's intent to take unflagging actions. CVE...

Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072

The Clientside Validation module enables you to have clientside Javascript validation on your forms. The module does not sufficiently validate parameters of a POST request made when validating a CAPTCHA. For the 1.x version of this module, this vulnerability is mitigated by the fact that the...

CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073

This module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments. The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack. This...

H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

The H5P module helps create interactive videos, question sets, drag and drop questions, multichoice questions, boardgames, presentations, flashcards and more using Drupal. The module does not sufficiently filter text prior to printing it back to the page, leading to a Reflected Cross Site Scripti...

Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

Commerce Invoices allows you to enter an Invoice number, Company name and Amount and it will generate an Invoice that the client can pay on your site using any payment method supported by Drupal commerce. SQL Injection The module did not properly use Drupal's database API when querying the databa...

Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views refresh module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...

Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067

The entity reference module provides a field type that can reference arbitrary entities. In a vulnerable configuration, an attacker could determine the titles of nodes they do not have access to. This is mitigated as only entity reference fields using the "simple" entity selector are vulnerable,...

Views - Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...

Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066

This module provides a Facebook Like button on node pages and blocks. The module does not sufficiently sanitize output when configured to use custom css rules. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fblikebutton". CVE...