Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2017/12/13 12:0 a.m.18 views

Panopoly Core - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-093

This module provides common functionality used by other modules in the Panopoly distribution and child distributions, like, Open Atrium. The module doesn't sufficiently filter node titles used in breadcrumbs when the "Append Page Title to Site Breadcrumb" setting is enabled. This vulnerability is...

6.5AI score
Exploits0References3
Drupal
Drupal
added 2017/12/06 12:0 a.m.17 views

Node feedback - Moderately critical - Access Bypass - SA-CONTRIB-2017-092

This module enables you to set nodes to send feedbacks by personal/site wide contact forms. The module doesn't sufficiently handle the access to nodes whose titles will be shown on contact forms. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Us...

6.4AI score
Exploits0References7
Drupal
Drupal
added 2017/12/06 12:0 a.m.22 views

Configuration Update Manager - Moderately critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-091

The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration. This...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2017/12/06 12:0 a.m.11 views

Feedback Collect - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-090

This module enables you to add feedback forms and gather end user feedback, bug reports or any kind of suggestions. The module doesn't sufficiently filter output of its own fields under the scenario of creating or editing feedback-collect content types. This vulnerability is mitigated by the fact...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2017/12/06 12:0 a.m.15 views

Mailhandler - Critical - Remote Code Execution - SA-CONTRIB-2017-089

The Mailhandler module enables you to create nodes by email. The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code. The vulnerability applies to any active mailhandler mailbox, whether or no...

7.6AI score
Exploits0References7
Drupal
Drupal
added 2017/11/29 12:0 a.m.5 views

bootstrap_carousel - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-088

This module provides a way to make carousels, based on bootstrap-carousel.js. The module doesn't sufficiently handle output of img HTML tag's alt property. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Carousel: Create new content" or any simil...

6.9AI score
Exploits0References5
Drupal
Drupal
added 2017/11/29 12:0 a.m.10 views

Cloud - Critical - CSRF - SA-CONTRIB-2017-086

This module enables sites to manage public clouds like Amazon EC2 and also private clouds like OpenStack. The module doesn't sufficiently protect the deletion of audit reports, thereby exposing a cross-site request vulnerability which can be exploited by unprivileged users to trick an administrat...

6.3AI score
Exploits0References4
Drupal
Drupal
added 2017/11/29 12:0 a.m.6 views

Services single sign-on client - Critical - Cross-site scripting - SA-CONTRIB-2017-087

This module allows users of a remote Services-enabled Drupal site to sign on to a second site with their credentials. The module does not sanitize information from the request before displaying it, thereby exposing a cross-site scripting vulnerability...

5.1AI score
Exploits0References6
Drupal
Drupal
added 2017/11/29 12:0 a.m.19 views

MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue. The modules have an access bypass vulnerability which allows untrusted users including anonymous users to view payments made by users within the system. No data can be modified,...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2017/11/29 12:0 a.m.15 views

Domain Integration (Drupal 7) - Moderately critical - Access bypass - SA-CONTRIB-2017-084

This module enables you to integrate the Domain module with other popular Drupal modules. The Domain Integration Login Restrict sub-module enables you to restrict access to a domain based on the assigned domains on a user. The Domain Integration Login Restrict sub-module doesn't sufficiently chec...

6.8AI score
Exploits0References7
Drupal
Drupal
added 2017/11/08 12:0 a.m.18 views

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2017-082

The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms. The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, ...

6.7AI score
Exploits0References5
Drupal
Drupal
added 2017/11/08 12:0 a.m.14 views

Custom Permissions - Moderately critical - Access bypass - SA-CONTRIB-2017-083

Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form. When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this...

6.6AI score
Exploits0References5
Drupal
Drupal
added 2017/11/01 12:0 a.m.13 views

Automated Logout - Moderately critical - Cross Site Scripting - SA-CONTRIB-2017-081

This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out. The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting...

6AI score
Exploits0References5
Drupal
Drupal
added 2017/10/25 12:0 a.m.20 views

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079

This module enables you to display any number of galleries based on images located in the files folder. The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2017/10/25 12:0 a.m.18 views

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080

The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces. The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fa...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2017/10/18 12:0 a.m.6 views

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-078

The Yandex.Metrics module allows you to look for key indicators of your site effectiveness. The module doesn't sufficiently let users know a setting page should not be given to untrusted users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

5.5AI score
Exploits0References7
Drupal
Drupal
added 2017/10/11 12:0 a.m.24 views

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

The netFORUM Authentication module implements external authentication for users against netFORUM. The module does not correctly use flood control making it susceptible to brute force attacks...

6.9AI score
Exploits0References3
Drupal
Drupal
added 2017/09/20 12:0 a.m.11 views

Page Access - Unsupported - SA-CONTRIB-2017-75

This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2017/09/20 12:0 a.m.12 views

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

This module enables you to obtain the status for a user's Skype account The module doesn't sufficiently sanitize the user input for their Skype ID. This vulnerability is mitigated by the fact that an attacker must have an account on the site and be allowed to edit/input their Skype ID. CVE...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2017/09/20 12:0 a.m.16 views

Page Access - Unsupported - SA-CONTRIB-2017-075

This module will provide the option to give the View and Edit access for users and roles on each node pages. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

7.2AI score
Exploits0References7
Drupal
Drupal
added 2017/09/13 12:0 a.m.12 views

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently confirm a user's intent to take unflagging actions. CVE...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/09/06 12:0 a.m.14 views

Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072

The Clientside Validation module enables you to have clientside Javascript validation on your forms. The module does not sufficiently validate parameters of a POST request made when validating a CAPTCHA. For the 1.x version of this module, this vulnerability is mitigated by the fact that the...

7AI score
Exploits0References11
Drupal
Drupal
added 2017/09/06 12:0 a.m.9 views

CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073

This module enables you to use various techniques to block automated scripts / robots from submitting content to a site, e.g. to block spam comments. The module doesn't properly store the session ID of visitors who are given a session which could lead to a Denial of Service attack. This...

7AI score
Exploits0References13
Drupal
Drupal
added 2017/08/30 12:0 a.m.15 views

Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

Commerce Invoices allows you to enter an Invoice number, Company name and Amount and it will generate an Invoice that the client can pay on your site using any payment method supported by Drupal commerce. SQL Injection The module did not properly use Drupal's database API when querying the databa...

7AI score
Exploits0References12
Drupal
Drupal
added 2017/08/30 12:0 a.m.14 views

H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

The H5P module helps create interactive videos, question sets, drag and drop questions, multichoice questions, boardgames, presentations, flashcards and more using Drupal. The module does not sufficiently filter text prior to printing it back to the page, leading to a Reflected Cross Site Scripti...

5.6AI score
Exploits0References13
Drupal
Drupal
added 2017/08/16 12:0 a.m.17 views

Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views refresh module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...

7AI score
Exploits0References16
Drupal
Drupal
added 2017/08/16 12:0 a.m.12 views

Views - Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068

When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to...

7AI score
Exploits0References16
Drupal
Drupal
added 2017/08/16 12:0 a.m.20 views

Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067

The entity reference module provides a field type that can reference arbitrary entities. In a vulnerable configuration, an attacker could determine the titles of nodes they do not have access to. This is mitigated as only entity reference fields using the "simple" entity selector are vulnerable,...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/08/09 12:0 a.m.15 views

Better field descriptions - Critical - XSS - SA-CONTRIB-2017-064

This module enables you to add themeable descriptions to fields in forms. The module doesn't sufficiently sanitize descriptions. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "add better descriptions to fields". CVE identifiers issued ACVE...

7AI score
Exploits0References12
Drupal
Drupal
added 2017/08/09 12:0 a.m.17 views

Facebook Like Button - Moderately Critical - XSS - DRUPAL-SA-CONTRIB-2017-066

This module provides a Facebook Like button on node pages and blocks. The module does not sufficiently sanitize output when configured to use custom css rules. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fblikebutton". CVE...

7AI score
Exploits0References13
Drupal
Drupal
added 2017/08/09 12:0 a.m.14 views

Relation - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-063

This module enables you to store relationships between entities as fieldable entities. The module doesn't sufficiently check permissions when displaying related entities labels with the Relation Dummy Field module widget. This vulnerability is mitigated by the fact that the optional Relation Dumm...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/08/09 12:0 a.m.14 views

Session Cache API - Critical - Multiple vulnerabilities - DRUPAL-SA-CONTRIB-2017-065

This module does not safely deal with serialization. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Session Cache API 7.x-1.4 Drupal core is not affected. If you do not use the contributed...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2017/08/02 12:0 a.m.8 views

services_views - Unsupported - SA-CONTRIB-2017-062

Update A new maintainer has resolved this issue, please read The release notes for more information This module provides views support for the Services module. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2017/08/02 12:0 a.m.16 views

baidu_analytics - Unsupported - SA-CONTRIB-2017-060

Update The maintainer has resolved this issue, please read the release notes for more information This module adds the Baidu Analytics web statistics tracking system to your website. The security team is marking this module unsupported. There is a known security issue with the module that has not...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2017/08/02 12:0 a.m.12 views

html_title - Unsupported - SA-CONTRIB-2017-059

The HTML Title module allows a limited set of HTML markup em, sub, sup, b, i, strong, cite, code, bdi, wbr to be used in node titles. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like ...

7AI score
Exploits0References7
Drupal
Drupal
added 2017/08/02 12:0 a.m.16 views

Alinks - Moderately Critical -Access bypass - SA-CONTRIB-2017-058

This module enables you to automatically link keywords to specific URLs. This module has an insufficient access check on the delete route. Alinks uses the wrong permission for an access check. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/08/02 12:0 a.m.13 views

ajax_facets - Unsupported - SA-CONTRIB-2017-061

Updates The maintainer has resolved this issue, please read the release notes for more information. This module allows you to create facet filters which working by AJAX. Filters and search results will be updated by AJAX. The security team is marking this module unsupported. There is a known...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2017/07/05 12:0 a.m.18 views

OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056

This module enables you to protect requests via the OAuth authentication protocol. The module doesn't sufficiently notify the Cache API to avoid caching responses under the scenario in which an authenticated user requests a resource such as unpublished node. This vulnerability is mitigated by the...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/07/05 12:0 a.m.15 views

DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057

UPDATE 2017-07-12 : This SA originally recommended version 2.6, but it was incorrectly tagged. We've updated the SA to recommend version 2.7. Sorry for the confusion! DrupalChat allows visitors of your Drupal site to chat with each other privately or together in a public chatroom. The module did...

6.7AI score
Exploits0References13
Drupal
Drupal
added 2017/06/28 12:0 a.m.15 views

Services - Critical - SQL Injection - SA-CONTRIB-2017-054

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module doesn't sufficiently sanitize column names provided by the client when they are querying for data and trying to sort it. This vulnerability is mitigated by the fact tha...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2017/06/28 12:0 a.m.16 views

SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055

This SMTP module enables you to send mail using a third party non-system mail service instead of the local system mailer included with Drupal. When this module is in debugging mode, it will log privileged information. CVE identifiers issued ACVE identifier will be requested, and added upon...

6.9AI score
Exploits0References17
Drupal
Drupal
added 2017/06/21 12:0 a.m.15 views

Search 404 - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-053

The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found. The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting XSS vulnerability. This...

6.1AI score
Exploits0References13
Drupal
Drupal
added 2017/05/31 12:0 a.m.10 views

LDAP - Critical - Data Injection - SA-CONTRIB-2017-052

The LDAP module does not sanitize user input correctly in several cases, allowing a user to modify parameters without restriction and inject data. If the site administrator chooses to hide the email or password from the user form instead of showing or disabling it under "Authorization", these...

7.1AI score
Exploits0References14
Drupal
Drupal
added 2017/05/24 12:0 a.m.17 views

Custom Landing Page Builder - Unsupported - SA-CONTRIB-2017-050

The Custom Landing Page Builder module allows webmasters to build custom landing pages using a WYSIWYG editor while still having full control over the full layout of the page including the header, navigation, page content, footer, forms etc. The security team is marking this module unsupported...

7.2AI score
Exploits0References7
Drupal
Drupal
added 2017/05/24 12:0 a.m.17 views

Site Verify - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-051

The Site Verify module enables privilege users to verify a site with services like Google Webmaster Tools using meta tags or file uploads. The module doesn't sufficiently sanitize input or restrict uploads. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.9AI score
Exploits0References12
Drupal
Drupal
added 2017/05/17 12:0 a.m.11 views

Display Suite - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-049

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

6.3AI score
Exploits0References12
Drupal
Drupal
added 2017/05/17 12:0 a.m.13 views

Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048

This theme enables you to bridge the gap between the Bootstrap Framework and Drupal. The theme does not sufficiently exclude the submitted password value when an incorrect value has been submitted Versions affected bootstrap 8.x-3.x versions prior to 8.x-3.5. Drupal core is not affected. If you d...

7.3AI score
Exploits0References11
Drupal
Drupal
added 2017/05/10 12:0 a.m.17 views

Drupal Remote Dashboard - Critical - Weak encryption keys - SA-CONTRIB-2017-046

UPDATE 2017-07-12 : This SA originally only mentioned the Drupal 8 version of the module, but it was later discovered that this issue affected the Drupal 7 version as well. We've updated the SA for the Drupal 7 security release. Sorry for the confusion! This module enables you to remotely access...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2017/05/10 12:0 a.m.12 views

DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047

The Drupal Remote Dashboard DRD module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites. The module doesn't sufficiently protect the URL used to configure itself from CSRF attacks,...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2017/05/10 12:0 a.m.18 views

Webform Multiple file upload - Moderately Critical - Access bypass - SA-CONTRIB-2017-045

This module enables you to upload multiple files at once in a webform. The module doesn't sufficiently check access to file deletion urls. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit all or their own webform submissions. CVE identifier...

7.1AI score
Exploits0References12
Total number of security vulnerabilities1940