Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2017/05/10 12:0 a.m.19 views

Webform Multiple file upload - Moderately Critical - Access bypass - SA-CONTRIB-2017-045

This module enables you to upload multiple files at once in a webform. The module doesn't sufficiently check access to file deletion urls. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit all or their own webform submissions. CVE identifier...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2017/05/03 12:0 a.m.17 views

shib_auth Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-043

This module enables you to login via Shibboleth. The module doesn't sufficiently logout the user when the shib session expires, which depending on the caching mechanism makes private data public. This vulnerability is mitigated by the fact that shibauth would have to be used in combination with a...

7AI score
Exploits0References12
Drupal
Drupal
added 2017/04/12 12:0 a.m.15 views

Media - Critical - 1.x branch unsupported - SA-CONTRIB-2017-042

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a 3rd party site - it is commonly referred to as a 'file browser to the internet'. Versions affected Only the 1.x branch is affected. Version 2.0...

6.7AI score
Exploits0References16
Drupal
Drupal
added 2017/04/12 12:0 a.m.15 views

Legal - Critical - Unsupported - SA-CONTRIB-2017-36

Update: 2017-06-04 The issue in this module has been fixed and a new release has been made Displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted. The security team is marking this module unsupported. There is a...

7.1AI score
Exploits0References8
Drupal
Drupal
added 2017/04/12 12:0 a.m.13 views

Book access - Critical - Unsupported - SA-CONTRIB-2017-35

This module alters the book module permissions model by letting you specify access/modify/delete rights on a per-book basis. Normally, book-related permissions provided by drupal core apply across all books, but this module will let you drill down as granular as to letting specific users have...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2017/04/12 12:0 a.m.16 views

References - Unsupported - SA-CONTRIB-2017-38

Updates 2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2 2017-04-14 - A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated. The specific details...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2017/04/12 12:0 a.m.19 views

Open Atrium - Moderately critical - Information Disclosure - SA-CONTRIB-2017-041

Open Atrium is a distribution the enables collaboration sites to be built. It contains several custom modules to provide various functionality. While content is often protected behind private groups, public content can also be shared. When using Open Atrium as an internal Intranet, this "public"...

7AI score
Exploits0References11
Drupal
Drupal
added 2017/04/12 12:0 a.m.13 views

Scheduler Workbench Integration - Critical - Unsupported - SA-CONTRIB-2017-39

Updates 20170414 - A new module maintainer has been found and a new release for this module has been published. Provides integration between the Scheduler module and the Workbench Moderation module. The security team is marking this module unsupported. There is a known security issue with the...

7.1AI score
Exploits0References8
Drupal
Drupal
added 2017/04/12 12:0 a.m.9 views

@Base - Critical - Unsupported - SA-CONTRIB-2017-040

Provide some more API for developer to work with Drupal 7. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2017/04/12 12:0 a.m.13 views

Filemaker Form - Critical - Unsupported - SA-CONTRIB-2017-37

Easily create forms in Drupal that submit data to Filemaker databases which are hosted on Filemaker Server. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module,...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2017/04/05 12:0 a.m.12 views

Auto Login URL - Less Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-034

This module lets you create auto login URLs programmatically on demand and through tokens. The module does not provide sufficient protection when generating login URLs. An attacker could rebuild login URLs independently thereby logging in as another user. This vulnerability is mitigated by the fa...

6.9AI score
Exploits0References12
Drupal
Drupal
added 2017/03/22 12:0 a.m.16 views

Linkit - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-033

Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field. When searching for entities, this module doesn't always enforce the access restrictions and users may see information about entities they should not be able to access. This is...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2017/03/22 12:0 a.m.12 views

Office Hours - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-032

This module enables you to show the office hours of a location to the public. The module doesn't sufficiently filter user input for malicious Cross Site Scripting xss. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to add fields to an entity. CVE...

6.6AI score
Exploits0References12
Drupal
Drupal
added 2017/03/15 12:0 a.m.15 views

Private - Critical - Access bypass - DRUPAL-SA-CONTRIB-2017-031

This module enables you to mark nodes as private so that they are only accessible to users that have been granted an extra permissions. The module doesn't always enforce the access restrictions. In some cases a node that a site admin expects to be private is actually accessible as normal or nodes...

7AI score
Exploits0References10
Drupal
Drupal
added 2017/03/08 12:0 a.m.24 views

PRLP - Critical - Access Bypass and Privilege Escalation - SA-CONTRIB-2017-030

This module adds a form on the password-reset-landing page to allow changing the password of the user during the log in process. The module does not sufficiently validate all access tokens, which allows an attacker to change the password of any arbitrary user and gain access to their account. In...

7.5AI score
Exploits0References12
Drupal
Drupal
added 2017/03/08 12:0 a.m.15 views

Services - Highly Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029

This module provides a standardized solution for building API's so that external clients can communicate with Drupal. The module accepts user submitted data in PHP's serialization format "Content-Type: application/vnd.php.serialized" which can lead to arbitrary remote code execution. This...

7.6AI score
Exploits0References14
Drupal
Drupal
added 2017/03/01 12:0 a.m.10 views

Remember Me - Critical - Unsupported - SA-CONTRIB-2017-025

Updates 2017-04-23 — This issue has been resolved with the release of rememberme 7.x-1.1 Remember me is a module that allows users to check "Remember me" when logging in. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed ...

7.1AI score
Exploits0References10
Drupal
Drupal
added 2017/03/01 12:0 a.m.15 views

AES - Critical - Unsupported - SA-CONTRIB-2017-027

This module provides an API that allows other modules to encrypt and decrypt data using the AES encryption algorithm. The module does not follow requirements for encrypting data safely. An attacker who gains access to data encrypted with this module could decrypt it more easily than should be...

6.8AI score
Exploits0References12
Drupal
Drupal
added 2017/03/01 12:0 a.m.17 views

Breakpoint Panels - Critical - Unsupported - SA-CONTRIB-2017-028

Breakpoint panels adds a button to the Panels In-Place Editor for each pane. When selected, it will display checkboxes next to all of the breakpoints specified in that modules UI. Unchecking any of these will 'hide' it from that breakpoint. The security team is marking this module unsupported...

7.2AI score
Exploits0References9
Drupal
Drupal
added 2017/03/01 12:0 a.m.14 views

RestWS - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-024

RestWS makes Drupal Entity data available in a REST API. The module doesn’t sufficiently check for access to properties when filtering queries. This vulnerability is mitigated by the fact that an attacker must have a role that allows them to access an entity type with access-controlled properties...

7AI score
Exploits0References11
Drupal
Drupal
added 2017/03/01 12:0 a.m.12 views

Location Map - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-026

This module enables you to display one simple location map via Google Maps. The module doesn't sufficiently sanitize user input in the configuration text fields of the module allows any tags and does not respect text format configuration. This vulnerability is mitigated by the fact that an attack...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2017/02/22 12:0 a.m.12 views

Timezone Detect - Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2017-020

This module enables sites to automatically detect and set user timezones via JavaScript. The module does not sufficiently protect against Cross-Site Request Forgery CSRF: an attacker could use this vulnerability to manipulate a user's timezone setting. The security implication of this issue depen...

7AI score
Exploits0References11
Drupal
Drupal
added 2017/02/22 12:0 a.m.13 views

Views - Moderately Critical - Access Bypass - SA-CONTRIB-2017-022

The Views module allows site builders to create listings of various data in the Drupal database. The Views module fails to add the required query tags to listings of Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it. This is...

6.6AI score
Exploits0References12
Drupal
Drupal
added 2017/02/15 12:0 a.m.11 views

Metatag -Moderately Critical - Information disclosure - SA-CONTRIB-2017-019

This module enables you to add a variety of meta tags to a site for helping with a site's search engine results and to customize how content is shared on social networks. The module doesn't sufficiently protect against data being cached that might contain information related to a specific user...

6.6AI score
Exploits0References13
Drupal
Drupal
added 2017/02/15 12:0 a.m.13 views

RESTful - Moderately Critical - Access Bypass - SA-CONTRIB-2017-018

This module enables you to build a RESTful API for your Drupal site. The restfultokenauth module a sub-module doesn't validate the status of users when logging them in. This results in a blocked user being able to operate normally with the RESTful actions, even after being blocked. This...

7AI score
Exploits0References13
Drupal
Drupal
added 2017/02/15 12:0 a.m.18 views

Flag clear - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2017-017

The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. The module doesn't sufficiently protect from CSRF attacks. The unflagging links do not...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2017/02/15 12:0 a.m.13 views

Hotjar - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-015

This module enables you to add the Hotjar tracking system to your website. The module doesn't sufficiently sanitize the Hotjar ID when including tracking code. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer hotjar". CVE identifiers...

7AI score
Exploits0References12
Drupal
Drupal
added 2017/02/15 12:0 a.m.25 views

Search API Sorts - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-016

The Search API Sorts module allows the site administrator to configure custom sort options for their search results and expose the control interface via the core block system. The module doesn't sufficiently sanitise the name of the sort option which is displayed to users. This vulnerability is...

6.8AI score
Exploits0References14
Drupal
Drupal
added 2017/02/08 12:0 a.m.19 views

Wetkit Omega - Moderately Critical - Access Bypass - SA-CONTRIB-2017-012

WetKit Omega 4.x is a modern, Sass and Compass enabled Drupal 7 theme powered by the Omega base theme. When using the Drupal page cache, some links intended for privileged users can get cached and displayed to users who shouldn't have access to them. This is mitigated by the fact that the...

7AI score
Exploits0References15
Drupal
Drupal
added 2017/02/08 12:0 a.m.14 views

Acquia Content Hub - Moderately Critical - Access Bypass - SA-CONTRIB-2017-013

The Acquia Content Hub module enables the distribution and discovery of content from any source using the Acquia Content Hub service. The module allows rendering of any arbitrary entity, without performing the appropriate access check. Users browsing to a well crafted URL could access information...

7AI score
Exploits0References15
Drupal
Drupal
added 2017/02/08 12:0 a.m.11 views

Facebook Pull - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-011

This module enables you to add integration with Facebook API. The module doesn't sufficiently sanitize incoming data from Facebook. This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and...

7.2AI score
Exploits0References14
Drupal
Drupal
added 2017/02/08 12:0 a.m.13 views

OSF for Drupal - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-014

This module enables administrators to use a user interface to create complex semantic queries that can be saved to be used in different locations of a Drupal instance that uses OSF. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Securi...

7AI score
Exploits0References12
Drupal
Drupal
added 2017/02/08 12:0 a.m.18 views

Storage API stream wrappers - Moderately Critical - Access bypass - SA-CONTRIB-2017-010

This module provides stream wrappers to integrate Storage API with Drupal, as an alternative to Storage API's corebridge submodule. It provides two stream wrappers: "Storage API Public" and "Storage API Private". The private storage API doesn't sufficiently performs access control allowing...

7.1AI score
Exploits0References14
Drupal
Drupal
added 2017/02/01 12:0 a.m.45 views

Better Exposed Filters - Less Critical - Cross Site Sscripting (XSS) - SA-CONTRIB-2017-009

The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements. The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected. This vulnerability is mitigated by the fact that an...

6.9AI score
Exploits0References12
Drupal
Drupal
added 2017/01/25 12:0 a.m.15 views

Unpublished 404 - Critical - Access bypass - SA-CONTRIB-2017-021

The purpose of Unpublished 404 module is to emit a 404 error when a user tries to access a unpublished pages. Unpublished 404 7.x-1.0 has an access bypass vulnerability. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2017/01/25 12:0 a.m.15 views

DownloadFile - Critical - Unsupported - SA-CONTRIB-2017-023

DownloadFile is a module to direct download files or images. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2017/01/25 12:0 a.m.17 views

OAuth - Less Critical - Access Bypass - SA-CONTRIB-2017-006

This module enables you to use the OAuth 1.a protocol to authenticate requests. The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance wit...

7.2AI score
Exploits0References15
Drupal
Drupal
added 2017/01/25 12:0 a.m.8 views

SalesCloud - Critical - Unsupported - SA-CONTRIB-2017-008

This module Connects Drupal to SalesCloud's API, a Commerce Platform as a Service. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All versions Drupal core is not affected. If you do not use th...

7.1AI score
Exploits0References10
Drupal
Drupal
added 2017/01/25 12:0 a.m.12 views

Microblog - Critical - Unsupported - SA-CONTRIB-2017-007

This module enables microblogging on Drupal sites using it. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All versions Drupal core is not affected. If you do not use the contributed microblog...

7.2AI score
Exploits0References9
Drupal
Drupal
added 2017/01/11 12:0 a.m.15 views

Autocomplete Deluxe - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-003

This module creates a new widget for taxonomy fields based on JQuery UI autocomplete. The module doesn't sufficiently escape the entered taxonomy terms thereby exposing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have the permission ...

6.2AI score
Exploits0References11
Drupal
Drupal
added 2017/01/11 12:0 a.m.25 views

OpenLucius - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-004

OpenLucius is a work management platform for social communication, documentation, and projects. The distribution doesn't sufficiently use tokens when marking messages for users as read thereby exposing a Cross Site Request Forgery CSRF vulnerability. The distribution does not sufficiently filter...

6.4AI score
Exploits0References11
Drupal
Drupal
added 2017/01/11 12:0 a.m.20 views

Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc. The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable...

7.2AI score
Exploits0References14
Drupal
Drupal
added 2017/01/04 12:0 a.m.23 views

Doubleclick for Publishers (DFP) - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-002

This module enables you to to place advertisements on your site that are served by Google's DFP Doubleclick for Publisher service. The module has multiple Cross Site Scripting XSS vulnerabilities due to not sufficiently escaped fields. The "administer DFP" permission is not marked as restricted...

6.3AI score
Exploits0References13
Drupal
Drupal
added 2017/01/04 12:0 a.m.14 views

Permissions by Term -- Critical - Multiple vulnerabilities - SA-CONTRIB-2017-001

The Permissions by Term module extends Drupal functionality by restricting access to single nodes via taxonomy terms. Taxonomy terms are part of the Drupal core functionality. Taxonomy term permissions can be coupled to specific user accounts and/or user roles. Enabling the module unintentionally...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2016/12/07 12:0 a.m.13 views

High-performance JavaScript callback handler - Highly Critical - Multiple vulnerabilities - SA-CONTRIB-2016-063

The High-performance JavaScript callback handler module is a light weight callback to bypass most, if not all, of Drupal's bootstrapping process to achieve improved performance. The module does not sufficiently check whether or not a callback is being properly accessed or filtering for potential...

6.3AI score
Exploits0References12
Drupal
Drupal
added 2016/11/30 12:0 a.m.22 views

Elysia Cron - Critical - Arbitrary PHP code execution - SA-CONTRIB-2016-062

This module enables you to manage cron jobs. The module allows users with the permission "Administer elysia cron" to execute arbitrary PHP code via cron. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron". This permission is...

7.9AI score
Exploits0References12
Drupal
Drupal
added 2016/11/16 12:0 a.m.659 views

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-005

Description Inconsistent name for term access query Less critical - Drupal 7 and Drupal 8 Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing...

4.3CVSS6.2AI score0.01957EPSS
Exploits0References28
Drupal
Drupal
added 2016/11/09 12:0 a.m.13 views

Views Send - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-061

The Views Send module enables you to send mail to multiple users from a View. The module doesn't sufficiently filter potential user-supplied data when previewing the e-mail which can lead to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker mus...

6.2AI score
Exploits0References11
Drupal
Drupal
added 2016/11/02 12:0 a.m.14 views

D8 Editor File upload - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-059

This module enables you to upload files directly within the CKEditor and create a link to download the given file. The module doesn't sufficiently check the uploaded file extensions when the allowed extensions list is not the default one. This vulnerability is mitigated by the fact that an attack...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/11/02 12:0 a.m.20 views

Bootstrap - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058

The Bootstrap theme enables you to integrate the Bootstrap framework with Drupal. The theme does not sufficiently filter potential user-supplied data when it's passed to certain templates can which lead to a Persistent Cross Site Scripting XSS vulnerability. CVE identifiers issued ACVE identifier...

6.2AI score
Exploits0References12
Total number of security vulnerabilities1940