Session Cache API - Critical - Multiple vulnerabilities - DRUPAL-SA-CONTRIB-2017-065

This module does not safely deal with serialization. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Session Cache API 7.x-1.4 Drupal core is not affected. If you do not use the contributed...

Relation - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-063

This module enables you to store relationships between entities as fieldable entities. The module doesn't sufficiently check permissions when displaying related entities labels with the Relation Dummy Field module widget. This vulnerability is mitigated by the fact that the optional Relation Dumm...

Better field descriptions - Critical - XSS - SA-CONTRIB-2017-064

This module enables you to add themeable descriptions to fields in forms. The module doesn't sufficiently sanitize descriptions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "add better descriptions to fields". CVE identifiers issued ACVE...

Alinks - Moderately Critical -Access bypass - SA-CONTRIB-2017-058

This module enables you to automatically link keywords to specific URLs. This module has an insufficient access check on the delete route. Alinks uses the wrong permission for an access check. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with...

baidu_analytics - Unsupported - SA-CONTRIB-2017-060

Update The maintainer has resolved this issue, please read the release notes for more information This module adds the Baidu Analytics web statistics tracking system to your website. The security team is marking this module unsupported. There is a known security issue with the module that has not...

html_title - Unsupported - SA-CONTRIB-2017-059

The HTML Title module allows a limited set of HTML markup em, sub, sup, b, i, strong, cite, code, bdi, wbr to be used in node titles. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like ...

services_views - Unsupported - SA-CONTRIB-2017-062

Update A new maintainer has resolved this issue, please read The release notes for more information This module provides views support for the Services module. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the...

ajax_facets - Unsupported - SA-CONTRIB-2017-061

Updates The maintainer has resolved this issue, please read the release notes for more information. This module allows you to create facet filters which working by AJAX. Filters and search results will be updated by AJAX. The security team is marking this module unsupported. There is a known...

DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057

UPDATE 2017-07-12 : This SA originally recommended version 2.6, but it was incorrectly tagged. We've updated the SA to recommend version 2.7. Sorry for the confusion! DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom. The module did...

OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056

This module enables you to protect requests via the OAuth authentication protocol. The module doesn't sufficiently notify the Cache API to avoid caching responses under the scenario in which an authenticated user requests a resource such as unpublished node. This vulnerability is mitigated by the...

Services - Critical - SQL Injection - SA-CONTRIB-2017-054

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it. This vulnerability is mitigated by the fact tha...

SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055

This SMTP module enables you to send mail using a third party non-system mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged information. CVE identifiers issued ACVE identifier will be requested, and added upon...

Search 404 - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-053

The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found. The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting XSS vulnerability. This...

LDAP - Critical - Data Injection - SA-CONTRIB-2017-052

The LDAP module does not sanitize user input correctly in several cases, allowing a user to modify parameters without restriction and inject data. If the site administrator chooses to hide the email or password from the user form instead of showing or disabling it under "Authorization", these...

Custom Landing Page Builder - Unsupported - SA-CONTRIB-2017-050

The Custom Landing Page Builder module allows webmasters to build custom landing pages using a WYSIWYG editor while still having full control over the full layout of the page including the header, navigation, page content, footer, forms etc. The security team is marking this module unsupported...

Site Verify - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-051

The Site Verify module enables privilege users to verify a site with services like Google Webmaster Tools using meta tags or file uploads. The module doesn't sufficiently sanitize input or restrict uploads. This vulnerability is mitigated by the fact that an attacker must have a role with the...

Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048

This theme enables you to bridge the gap between the Bootstrap Framework and Drupal. The theme does not sufficiently exclude the submitted password value when an incorrect value has been submitted Versions affected bootstrap 8.x-3.x versions prior to 8.x-3.5. Drupal core is not affected. If you d...

Display Suite - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-049

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

Media - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-044

This module provides intuitive ways to manage large libraries of media, insert or display or import various types of media either through fields or a wysiwyg interface. Versions of this module prior to 7.x-2.1 or 7.x-3.0-alpha5 did not sufficiently whitelist input parameters for the media browser...

DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047

The Drupal Remote Dashboard DRD module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites. The module doesn't sufficiently protect the URL used to configure itself from CSRF attacks,...

Webform Multiple file upload - Moderately Critical - Access bypass - SA-CONTRIB-2017-045

This module enables you to upload multiple files at once in a webform. The module doesn't sufficiently check access to file deletion urls. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit all or their own webform submissions. CVE identifier...

Drupal Remote Dashboard - Critical - Weak encryption keys - SA-CONTRIB-2017-046

UPDATE 2017-07-12 : This SA originally only mentioned the Drupal 8 version of the module, but it was later discovered that this issue affected the Drupal 7 version as well. We've updated the SA for the Drupal 7 security release. Sorry for the confusion! This module enables you to remotely access...

shib_auth Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-043

This module enables you to login via Shibboleth. The module doesn't sufficiently logout the user when the shib session expires, which depending on the caching mechanism makes private data public. This vulnerability is mitigated by the fact that shibauth would have to be used in combination with a...

Legal - Critical - Unsupported - SA-CONTRIB-2017-36

Update: 2017-06-04 The issue in this module has been fixed and a new release has been made Displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted. The security team is marking this module unsupported. There is a...

Filemaker Form - Critical - Unsupported - SA-CONTRIB-2017-37

Easily create forms in Drupal that submit data to Filemaker databases which are hosted on Filemaker Server. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

Media - Critical - 1.x branch unsupported - SA-CONTRIB-2017-042

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a 3rd party site - it is commonly referred to as a 'file browser to the internet'. Versions affected Only the 1.x branch is affected. Version 2.0...

Open Atrium - Moderately critical - Information Disclosure - SA-CONTRIB-2017-041

Open Atrium is a distribution the enables collaboration sites to be built. It contains several custom modules to provide various functionality. While content is often protected behind private groups, public content can also be shared. When using Open Atrium as an internal Intranet, this "public"...

@Base - Critical - Unsupported - SA-CONTRIB-2017-040

Provide some more API for developer to work with Drupal 7. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

Scheduler Workbench Integration - Critical - Unsupported - SA-CONTRIB-2017-39

Updates 20170414 - A new module maintainer has been found and a new release for this module has been published. Provides integration between the Scheduler module and the Workbench Moderation module. The security team is marking this module unsupported. There is a known security issue with the...

References - Unsupported - SA-CONTRIB-2017-38

Updates 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2 2017-04-14 - A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated. The specific details...

Book access - Critical - Unsupported - SA-CONTRIB-2017-35

This module alters the book module permissions model by letting you specify access/modify/delete rights on a per-book basis. Normally, book-related permissions provided by drupal core apply across all books, but this module will let you drill down as granular as to letting specific users have...

Auto Login URL - Less Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-034

This module lets you create auto login URLs programmatically on demand and through tokens. The module does not provide sufficient protection when generating login URLs. An attacker could rebuild login URLs independently thereby logging in as another user. This vulnerability is mitigated by the fa...

Linkit - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-033

Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. When searching for entities, this module doesn't always enforce the access restrictions and users may see information about entities they should not be able to access. This is...

Office Hours - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-032

This module enables you to show the office hours of a location to the public. The module doesn't sufficiently filter user input for malicious Cross Site Scripting xss. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to add fields to an entity. CVE...

Private - Critical - Access bypass - DRUPAL-SA-CONTRIB-2017-031

This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions. The module doesn't always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes...

Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module accepts user submitted data in PHP's serialization format "Content-Type: application/vnd.php.serialized" which can lead to arbitrary remote code execution. This...

PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030

This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process. The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account. In...

Location Map - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-026

This module enables you to display one simple location map via Google Maps. The module doesn't sufficiently sanitize user input in the configuration text fields of the module allows any tags and does not respect text format configuration. This vulnerability is mitigated by the fact that an attack...

Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028

Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will 'hide' it from that breakpoint. The security team is marking this module unsupported...

AES - Critical - Unsupported - SA-CONTRIB-2017-027

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm. The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be...

RestWS - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-024

RestWS makes Drupal Entity data available in a REST API. The module doesn’t sufficiently check for access to properties when filtering queries. This vulnerability is mitigated by the fact that an attacker must have a role that allows them to access an entity type with access-controlled properties...

Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025

Updates 2017-04-23 — This issue has been resolved with the release of rememberme 7.x-1.1 Remember me is a module that allows users to check "Remember me" when logging in. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed ...

Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022

The Views module allows site builders to create listings of various data in the Drupal database. The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it. This is...

Timezone Detect - Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2017-020

This module enables sites to automatically detect and set user timezones via JavaScript. The module does not sufficiently protect against Cross-Site Request Forgery CSRF: an attacker could use this vulnerability to manipulate a user's timezone setting. The security implication of this issue depen...

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-016

The Search API Sorts module allows the site administrator to configure custom sort options for their search results and expose the control interface via the core block system. The module doesn't sufficiently sanitise the name of the sort option which is displayed to users. This vulnerability is...

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-017

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently protect from CSRF attacks. The unflagging links do not...

Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks. The module doesn't sufficiently protect against data being cached that might contain information related to a specific user...

Hotjar - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-015

This module enables you to add the Hotjar tracking system to your website. The module doesn't sufficiently sanitize the Hotjar ID when including tracking code. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer hotjar". CVE identifiers...

RESTful - Moderately Critical - Access Bypass - SA-CONTRIB-2017-018

This module enables you to build a RESTful API for your Drupal site. The restfultokenauth module a sub-module doesn't validate the status of users when logging them in. This results in a blocked user being able to operate normally with the RESTful actions, even after being blocked. This...

Acquia Content Hub - Moderately Critical - Access Bypass - SA-CONTRIB-2017-013

The Acquia Content Hub module enables the distribution and discovery of content from any source using the Acquia Content Hub service. The module allows rendering of any arbitrary entity, without performing the appropriate access check. Users browsing to a well crafted URL could access information...