1940 matches found
Universally Unique IDentifier - Moderately critical - Arbitrary file upload - SA-CONTRIB-2018-045
This module provides an API for adding universally unique identifiers UUID to Drupal objects, most notably entities. The module module has an arbitrary file upload vulnerability when it's used in combination with the services REST server. This vulnerability is mitigated by the fact that an attack...
Mass Password Reset - Less critical - Insecure Randomness - SA-CONTRIB-2018-043
This module enables you to reset passwords for all users based upon their user role. The module doesn't use a strong source of randomness, creating weak and predictable passwords. This vulnerability is mitigated by the fact that the site must be configured to reveal the password to the attacker,...
TFA Basic plugins - Less critical - Insecure Randomness - SA-CONTRIB-2018-044
The TFA Basic module enables you to use Two Factor Authentication via a variety of plugins including TOTP and one-time codes delivered via email or sms. The module doesn't use a strong source of randomness, creating weak and predictable one-time login codes that are then delivered using SMS. This...
Generate Password - Less critical - Insecure Randomness - SA-CONTRIB-2018-042
The Genpass module makes the password field optional or hidden on the add new user page admin & registration. If the password field is not set during registration, the system generates a password. The module doesn't use a strong source of randomness, creating weak and predictable passwords. This...
Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041
The Custom Tokens module enables you to create custom tokens for specific replacements that can improve other modules relying on the token API. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. This vulnerability is...
AdTego SiteIntel - AdBlocker Detect - Critical - Unsupported - SA-CONTRIB-2018-039
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466...
Mollom - Critical - Unsupported - SA-CONTRIB-2018-038
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466. The security team marks all unsupported projects critical...
Entity Delete - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-040
This module enables you to delete any types of entities in bulk. The module doesn't sufficiently verify access permissions under its use cases, leading to access bypass. The module also does not protect against Cross Site Request Forgeries on its delete process. The access bypass vulnerability is...
SimpleCrop - Critical - Unsupported - SA-CONTRIB-2018-030
Update: 2018-06-01 A new maintainer has stepped forward to maintain this module and has put out a new release. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module...
Protected Pages - Critical - Unsupported - SA-CONTRIB-2018-028
Update: 2018-06-03 A new maintainer has stepped forward and this project now has a stable release. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please rea...
Education - Critical - Unsupported - SA-CONTRIB-2018-036
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...
Zircon - Critical - Unsupported - SA-CONTRIB-2018-037
Update - 2018-09-26 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/zircon/releases/7.x-1.2 to resolve the issue. The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the...
Corporate Site - Critical - Unsupported - SA-CONTRIB-2018-032
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...
iShopping - Critical - Unsupported - SA-CONTRIB-2018-033
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...
TB Sirate - Critical - Unsupported - SA-CONTRIB-2018-035
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...
Hotel - Critical - Unsupported - SA-CONTRIB-2018-034
The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the maintainer. If you would like to maintain this theme, please read: https://www.drupal.org/node/251466. The security team marks all unsupported themes and modules...
TB Nucleus - Critical - Unsupported - SA-CONTRIB-2018-031
Update - 2018-09-26 This maintainer has fixed this security issue. Please install https://www.drupal.org/project/nucleus/releases/7.x-1.6 to fix the security issue The security team is marking this theme unsupported. There is a known security issue with the theme that has not been fixed by the...
Baidu Analytics - Critical - Unsupported - SA-CONTRIB-2018-029
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466. The security team marks all unsupported modules critical by...
Scrollable Content - Critical - Unsupported - SA-CONTRIB-2018-026
Scrollable Content provides a scrolling functionality for your content. Scrollable Content will give you a nice content slider preview of your site's nodes, and provides some display options. The security team is marking this module unsupported. There is a known security issue with the module tha...
SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027
This module adds a new formatter for the file fields, which allows any file extension to be uploaded. The module doesn't sufficiently handle sanitization under the scenario uploaded SVG files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission create...
Multi-Step Registration - Critical - Unsupported Module - SA-CONTRIB-2018-023
With Multi-Step Registration you can create multi-step wizard user account registration forms. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read:...
Simple Taxonomy Revision - Critical - Unsupported - SA-CONTRIB-2018-025
Simple Taxonomy Revision module enables revisions for taxonomy terms for Drupal 8. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read:...
KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024
KCFinder is a multi-language file / image manager you can use to easily select, insert, upload and arrange images, flash movies, and other kinds of files. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintaine...
D7 Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020
The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site. The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution RCE attack...
JSON:API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021
This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication. This vulnerability is mitigated by the fact that an...
DRD Agent - Critical - PHP object injection - SA-CONTRIB-2018-022
This module enables you to monitor and manage any number of remote Drupal sites and aggregate useful information for administrators in a central dashboard. The modules DRD and DRD Agent encrypt the data which is exchanged between them but in order to do so, they use the PHP serialize/unserialize...
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical -...
Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019
Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. The module doesn't sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting XSS attack. This vulnerability is mitigated only by the...
Menu Import and Export - Critical - Access bypass - SA-CONTRIB-2018-018
This module helps in exporting and importing Menu Items via the administrative interface. The module does not properly restrict access to administrative pages, allowing anonymous users to export and import menu links. There is no mitigation for this vulnerability...
JSON:API - Moderately critical - Access Bypass - SA-CONTRIB-2018-016
This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability. This vulnerability is...
Exif - Critical - Access bypass - SA-CONTRIB-2018-017
This module enables you to retrieve image metadata and use them in fields or title. The module doesn't sufficiently restrict access to module setting pages thereby causing an access bypass vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to create...
CKEditor Upload Image - Critical - Access bypass - SA-CONTRIB-2018-014
This module enables you to drag and drop or paste images into CKEditor. The module does not sufficiently verify users permissions, which leads to anonymous users being able to upload files to the server...
JSON:API - Moderately critical - Multiple Vulnerabilities - SA-CONTRIB-2018-015
This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently associate cacheability metadata in certain situations thereby causing an access bypass vulnerability. This vulnerability is mitigated b...
Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2018-010
This module enables the user to set custom permissions per path. The module doesn't perform sufficient checks on paths with dynamic arguments like "node/1" or "user/2", thereby allowing the site administrator to save custom permissions for paths that won't be protected. This could lead to an acce...
Entity API - Moderately critical - Information Disclosure - SA-CONTRIB-2018-013
The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module prints debugging information to the HTML output in certain error conditions thereby causing an information disclosure vulnerability. This...
VChess - Critical - Module Unsupported - SA-CONTRIB-2018-009
The Drupal VChess module allows users to play a chess game. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...
Entity Backup - Critical - Module Unsupported - SA-CONTRIB-2018-012
The main purpose of the Entity Backup module is to keep a backup of deleted Drupal core entities and perform recovery of them. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to...
Dynamic Banner - Less critical - Cross site scripting - SA-CONTRIB-2018-011
This module enables a site to display different banners via blocks on different pages depending upon specific criteria. The module doesn't sufficiently filter output of banner data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...
FileField Sources - Moderately critical - Access Bypass - SA-CONTRIB-2018-007
This module enables you to upload files to fields via several sources. The module doesn't sufficiently handle access control under the scenario of the autocomplete path of reference sources...
Entity Reference Tab / Accordion Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-008
This module enables you to show referenced entities in tabs. The module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs. This vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content o...
Sagepay - Critical - Access Bypass - SA-CONTRIB-2018-005
This module integrates the Sagepay payment service. Some of the URLs used while processing the payment are not sufficiently secured. This might allow attackers to resume a previously failed payment attempt or to view content that should only be shown after a succesful payment. This affects all...
Taxonomy Term Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-006
This module provides an expandable tree widget for the Taxonomy Term Reference field in Drupal 7. The module doesn't sufficiently sanitize the output of its own defined field formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission that allows t...
Backup and Migrate - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-004
This module enables you to create manual and scheduled backups of a site, and restore the site from backup. The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles. Sites using this module should review the permissions page...
Bible - Critical - Multiple Vulnerabilities - SA-CONTRIB-2018-003
This module enables you to display a Bible on your website. Users can associate notes with a Bible version. This module has a vulnerability that would allow an attacker to wipe out, update or read notes from other users with a carefully crafted title. A user must have the "Access Bible content"...
Node View Permissions - Moderately critical - Access Bypass - SA-CONTRIB-2018-002
The Node view permissions module enables the "View own content" and "View any content" permissions for each content type on the permissions page. This module has a vulnerability that allows users with these permissions to view unpublished content that they are not otherwise authorized to view. Th...
Stacks - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-001
This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets. The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class. This vulnerability ...
Link Click Count - Critical - Unsupported - SA-CONTRIB-2017-094
The Link Click Count module helps you to monitor the traffic to your website by creating link fields. These link fields can be individual links or internal/external links that can be added to the content type. The security team is marking this module unsupported. There is a known security issue...
ComScore direct tag - Less critical - Cross site scripting - SA-CONTRIB-2017-095
This module enables you to use the comScore Direct analytics system on a site. The module doesn't sufficiently sanitize one of the configuration variables prior to rendering it. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer comScore...
Directory based organisational layer - Critical - Unsupported - SA-CONTRIB-2017-096
This module adds a new organizational layer to Drupal, making it easy for managing large numbers of files and nodes. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. The security team takes action in...
me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097
'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings...