Wetkit Omega - Moderately Critical - Access Bypass - SA-CONTRIB-2017-012

WetKit Omega 4.x is a modern, Sass and Compass enabled Drupal 7 theme powered by the Omega base theme. When using the Drupal page cache, some links intended for privileged users can get cached and displayed to users who shouldn't have access to them. This is mitigated by the fact that the...

Storage API stream wrappers - Moderately Critical - Access bypass - SA-CONTRIB-2017-010

This module provides stream wrappers to integrate Storage API with Drupal, as an alternative to Storage API's corebridge submodule. It provides two stream wrappers: "Storage API Public" and "Storage API Private". The private storage API doesn't sufficiently performs access control allowing...

Facebook Pull - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-011

This module enables you to add integration with Facebook API. The module doesn't sufficiently sanitize incoming data from Facebook. This vulnerability is mitigated by the fact that an attacker must have be able to successfully pass malicious code through Facebook API or alter facebooks DNS and...

OSF for Drupal - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-014

This module enables administrators to use a user interface to create complex semantic queries that can be saved to be used in different locations of a Drupal instance that uses OSF. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Securi...

Better Exposed Filters - Less Critical - Cross Site Sscripting (XSS) - SA-CONTRIB-2017-009

The Better Exposed Filters module gives site builders more choices for rendering Views' exposed form elements. The module does not sufficiently sanitize taxonomy term descriptions when the "Include the term description" option is selected. This vulnerability is mitigated by the fact that an...

OAuth - Less Critical - Access Bypass - SA-CONTRIB-2017-006

This module enables you to use the OAuth 1.a protocol to authenticate requests. The module does not does not implement the OAuth 1.0a security fix reported at https://oauth.net/advisories/2009-1/. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance wit...

Unpublished 404 - Critical - Access bypass - SA-CONTRIB-2017-021

The purpose of Unpublished 404 module is to emit a 404 error when a user tries to access a unpublished pages. Unpublished 404 7.x-1.0 has an access bypass vulnerability. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team...

Microblog - Critical - Unsupported - SA-CONTRIB-2017-007

This module enables microblogging on Drupal sites using it. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All versions Drupal core is not affected. If you do not use the contributed microblog...

SalesCloud - Critical - Unsupported - SA-CONTRIB-2017-008

This module Connects Drupal to SalesCloud's API, a Commerce Platform as a Service. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All versions Drupal core is not affected. If you do not use th...

DownloadFile - Critical - Unsupported - SA-CONTRIB-2017-023

DownloadFile is a module to direct download files or images. The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466...

Mailjet - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2017-005

The Mailjet module integrates with a 3rd party system to deliver site-generated emails, including newsletters, system notifications, etc. The Mailjet module included v5.2.8 of the PHPMailer library in its "includes" directory. Per PSA-2016-004, this version of the PHPMailer library was vulnerable...

OpenLucius - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-004

OpenLucius is a work management platform for social communication, documentation, and projects. The distribution doesn't sufficiently use tokens when marking messages for users as read thereby exposing a Cross Site Request Forgery CSRF vulnerability. The distribution does not sufficiently filter...

Autocomplete Deluxe - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2017-003

This module creates a new widget for taxonomy fields based on JQuery UI autocomplete. The module doesn't sufficiently escape the entered taxonomy terms thereby exposing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have the permission ...

Doubleclick for Publishers (DFP) - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-002

This module enables you to to place advertisements on your site that are served by Google's DFP Doubleclick for Publisher service. The module has multiple Cross Site Scripting XSS vulnerabilities due to not sufficiently escaped fields. The "administer DFP" permission is not marked as restricted...

Permissions by Term -- Critical - Multiple vulnerabilities - SA-CONTRIB-2017-001

The Permissions by Term module extends Drupal functionality by restricting access to single nodes via taxonomy terms. Taxonomy terms are part of the Drupal core functionality. Taxonomy term permissions can be coupled to specific user accounts and/or user roles. Enabling the module unintentionally...

High-performance JavaScript callback handler - Highly Critical - Multiple vulnerabilities - SA-CONTRIB-2016-063

The High-performance JavaScript callback handler module is a light weight callback to bypass most, if not all, of Drupal's bootstrapping process to achieve improved performance. The module does not sufficiently check whether or not a callback is being properly accessed or filtering for potential...

Elysia Cron - Critical - Arbitrary PHP code execution - SA-CONTRIB-2016-062

This module enables you to manage cron jobs. The module allows users with the permission "Administer elysia cron" to execute arbitrary PHP code via cron. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron". This permission is...

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-005

Description Inconsistent name for term access query Less critical - Drupal 7 and Drupal 8 Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing...

Views Send - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-061

The Views Send module enables you to send mail to multiple users from a View. The module doesn't sufficiently filter potential user-supplied data when previewing the e-mail which can lead to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker mus...

Menu Views - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-055

This module enables users to create menu items that render views instead of links. This is useful for creating "mega-menus". The module doesn't sufficiently filter title and breadcrumb fields for possible cross-site scripting. This vulnerability is mitigated by the fact that an attacker must have...

Bootstrap - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-058

The Bootstrap theme enables you to integrate the Bootstrap framework with Drupal. The theme does not sufficiently filter potential user-supplied data when it's passed to certain templates can which lead to a Persistent Cross Site Scripting XSS vulnerability. CVE identifiers issued ACVE identifier...

D8 Editor File upload - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-059

This module enables you to upload files directly within the CKEditor and create a link to download the given file. The module doesn't sufficiently check the uploaded file extensions when the allowed extensions list is not the default one. This vulnerability is mitigated by the fact that an attack...

Workbench Moderation - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-060

This module enables you to create and manage custom editorial workflows around a site's content. The module could result in unpublished content being temporarily made visible via content lists, e.g. as generated by Views, when its editorial status was being changed, e.g. from "draft" to "needs...

Like/Dislike - Critical - Cross Site Request Forgery - SA-CONTRIB-2016-056

Cross Site Request Forgery Like/Dislike module can be used to Like and Dislike actions on any content. It is powered by Drupal field concept. The module does not verify user intent on like/dislike links thereby exposing a Cross Site Request Forgery CSRF vulnerability. CVE identifiers issued ACVE...

Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054

This module enables you to run NCBI BLAST jobs on the host system. The module doesn't sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run. This...

Webform - Less Critical - Access Bypass - SA-CONTRIB-2016-053

This module provides a user interface to create and configure forms called Webforms. When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules. The vulnerability is mitigated by the fact that...

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-052

This module enables you to manage cron jobs. The module doesn't sufficiently sanitize the cron rules which are entered into "Predefined rules" field thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004

Users without "Administer comments" can set comment visibility on nodes they can edit. Less critical Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission. Cross-site Scripting in http...

Flag Lists - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-051

This module enables regular users to create unlimited private flags called lists. The flaglists module doesn't sufficiently filter the output when applying token strings to flaglists links leading to a persistent Cross Site Scripting XSS attack. This vulnerability is mitigated by the fact that an...

Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050

Flag enables users to mark content with any number of admin-defined flags, such as 'bookmarks' or 'spam'. Flag Bookmark is a submodule within Flag, which provides a 'bookmarks' flag, and default views to list bookmarked content. The provided view that lists each user's bookmarked content as a tab...

Workbench Scheduler - Moderately Critical - Access Bypass - SA-CONTRIB-2016-049

Workbench Scheduler module provides users with the ability to create schedules that change moderated content from one workbench moderation state to another. An authenticated user could add a schedule to a node even when that content type has schedules disabled. The vulnerability is mitigated by t...

Panels - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-047

Panels does not check access on some routes Critical Panels allows users with certain permissions to modify the layout and panel panes on pages or entities utilizing panels. Much of the functionality to modify these panels rely on backend routes that call administrative forms. These forms did not...

Hosting - Less Critical - Access bypass - SA-CONTRIB-2016-046

The Hosting module is a core component of the Aegir Hosting System. This install profile, and accompanying suite of modules, is a hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites. The Hosting module does not sufficiently control access to any cust...

Require Login - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2016-045

This module enables you to restrict site access without using user roles or permissions. The module does not sufficiently escape some of its settings, and, in some cases, allows malicious users to bypass the protection offered by Require Login. CVE identifiers issued ACVE identifier will be...

Piwik - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-043

This module enables you to add integration with Piwik statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is mitigated by the...

OAuth2 Client- Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2016-044

This module provides an OAuth2 client. The module does not check the validity of the state parameter, during server-side flow, before getting a token. This may allow a malicious user to feed a fake accesstoken to another user, and subsequently provide him fake data from the server. This page...

Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042

This module enables you to add integration with Google Analytics statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is...

Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041

Administration Views module replaces overview/listing pages with actual views for superior usability. The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to. CVE identifiers issued ACVE identifier...

Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039

The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules. The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticat...

RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040

This module enables you to expose Drupal entities as RESTful web services. RESTWS alters the default page callbacks for entities to provide additional functionality. A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution. There...

Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038

The Webform Multiple File Upload module allows users to upload multiple files on a Webform. The Webform Multifile File Upload module contains a Remote Code Execution RCE vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution...

Instagram Block - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-037

This module enables you to authenticate with Instagram's API via an intermediary service instagram.yanniboi.com. The module doesn't sufficiently advise that your authentication tokens could be intercepted. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in...

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002

Saving user accounts can sometimes grant the user all roles User module - Drupal 7 - Moderately Critical A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the...

Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view. This issue is mitigated by the fact that the view must be configured to show a "Content...

Page Manager Search - Moderately Critical - Information disclosure - SA-CONTRIB-2016-032

This module enables you to make Panels pages and other pages managed by CTools' Page Manager submodule indexible and searchable through the standard Search module provided in Drupal core. The module doesn't block access to Page Manager pages which have been disabled. CVE identifiers issued ACVE...

Node Embed - Less critical - Denial of Service - SA-CONTRIB-2016-034

This module enables you to embed the contents of one node in the body field of another. The module doesn't sufficiently protect against a node being embedded in itself, or a loop being created of one node being embedded in another which is then itself embedded in the first node. This vulnerabilit...

REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033

This module enables you to expose content, users and comments via a JSON API. The module contains multiple vulnerabilities including Node access bypass Comment access bypass User enumeration Field access bypass User registration bypass Blocked user login Session name guessing Session enumeration...

Outline Designer - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-035

This module enables you to mass administer book outlines and perform common operations through one interface, improving the usability for the book module. The module doesn't sufficiently sanitize titles when presenting them on this interface. This vulnerability is mitigated by the fact that an...

Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031

This module enables you to enter opening hours for locations in a highly detailed way. The module doesn't sufficiently escape input data from user input. This vulnerability is mitigated by the fact that an attacker must be able to edit opening hours by having a role with the permission “Edit...

XML Sitemap - Moderately Critical - XSS - SA-CONTRIB-2016-030

The XML Sitemap module enables you to create sitemaps which help search engines to more intelligently crawl a website and keep their results up to date. The module doesn't sufficiently filter the URL when it is displayed in the sitemap. This vulnerability is mitigated if the setting for "Include ...