Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028

This module enables you to allow users to enter a special registration code in order to sign up for the site. The module doesn't sufficiently validate the entered registration code CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Securit...

Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

This module enables you to view dropbox files in your Drupal site. The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to...

Open Atrium Notifications - Less Critical - Information Disclosure - SA-CONTRIB-2016-026

Open Atrium is a distribution of Drupal that allows you to build collaborative web sites. The Open Atrium Notification module adds the ability to send email notifications to users subscribed to certain content. When combined with the Open Atrium Mailhandler app, incoming email replies to...

Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025

This module enables you to create fieldable entities that have special integration with Panels. The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor IPE, allowing for specially crafted XSS attack...

Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022

This module enables you to build searches using a wide range of features, data sources and backends. Search index not updated by node access changes The module doesn't sufficiently re-index nodes when using the "Node access" or "Access check" data alterations and non-standard ways of changing nod...

Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023

This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate among themselves. Selective groups require approval in order to become a member, or even invitation-only groups. Under the certain fiel...

Boost - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-021

This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic. The module doesn't prevent form cache from leaking between anonymous users which could result in information disclosure, where one use...

Features - Less Critical - Denial of Service (DoS) - SA-CONTRIB-2016-020

This module enables you to organize and export configuration data. The module doesn't sufficiently protect the admin/structure/features/cleanup path with a token. If an attacker can trick an admin with the "manage features" permission to request a special URL, it could lead to clearing the cache...

Drupal Commerce - Less Critical - Information disclosure - SA-CONTRIB-2016-019

This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field's autocomplete widget. As you type in the textfield, the...

HybridAuth - Less critical - Multiple vulnerabilities - SA-CONTRIB-2016-018

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. Open redirect The module doesn't verify the "destination" redirect after a login to be a non-external URL causing an ope...

Login one time - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-017

The Login one time module provides the ability to email one-time login links to users. The module doesn't sufficiently sanitize user input supplied to an ajax callback function. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security...

Fast Autocomplete - Critical - DOS vulnerability - SA-CONTRIB-2016-016

This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to "cache" suggestions making the autocomplete very fast. The module doesn't sufficiently validate the incoming language parameter in the request path when a json file of the module is...

Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015

When a PDF is uploaded in Scald File, various tools can be executed if they're installed on the server, to try to generate a thumbnail out of that PDF. This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creati...

Prepopulate - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-009

The Prepopulate module allows form fields to be pre-populated in the request. The Prepopulate module does not adequately prevent a user from overwriting arbitrary parts of $REQUEST. It also does not prevent pre-populating certain fields that are not displayed or manipulating markup fields to alte...

USASearch - Moderately Critical - Access Bypass - SA-CONTRIB-2016-010

This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology OCSIT, which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search o...

Fieldable Panels Panes - Moderately Critical - Access Bypass - SA-CONTRIB-2016-014

This module enables you to create fieldable entities that have special integration with Panels. The module doesn't check access permissions on a file when it is attached to a field on a Fieldable Panels Panes entity that has been made private and where the file field is set to store files using t...

Hubspot CTA - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-012 - Unsupported

This module enables you to embed a Hubspot CTA buttons widget in a Bean block. The module allows configuration of a CTA ID and Account ID while adding a bean block for a CTA button, but doesn't sufficiently sanitise these parameters, allowing a potential cross-site scripting attack. This...

Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011

The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly coun...

Node Notify - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-013

Node Notify is a lightweight module to allow subscription to comments on nodes for registered and anonymous users. The module doesn't sufficiently sanitize some user provided content, leading to a Cross Site Scripting vulnerability. Additionally, some paths were not protected against CSRF. An...

FileField - Denial of Service - SA-CONTRIB-2016-008

FileField module allows users to upload files in conjunction with the Content Construction Kit CCK module in Drupal 6. The module doesn't validate that a request to delete a temporary file was made by the user who uploaded the file. An attacker can use this vulnerability to delete other user's fi...

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001

File upload access bypass and denial of service File module - Drupal 7 and 8 - Moderately Critical A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted...

Nodejs - Access bypass - Moderately Critical -- DRUPAL-SA-CONTRIB-2016-007

This module provides an API that other modules can use to add realtime capabilities to Drupal, specifically enabling pushing updates to open connected clients. The module doesn't disconnect unauthenticated sockets, allowing those sockets to receive broadcast messages. For sites that only serve...

Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006

This module enables you to make credit card payments for Drupal Commerce orders via the Authorize.Net payment gateway using either their SIM hosted payment page or DPM direct post method mechanisms. The module doesn't sufficiently protect against the premature triggering of order completion witho...

Embedded Media Field - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2016-004

This module enables you to to display video, image, and audio files from various third party providers The module doesn't sufficiently sanitize path arguments under certain scenarios. This vulnerability is mitigated by the fact that an attacker must be able to trick an administrator into visiting...

CAS - Moderately Critical - Information Disclosure - DRUPAL-SA-CONTRIB-2016-005

This module enables you to use your Drupal site as a client or server for the single sign on protocol CAS. This vulnerability only affects sites that use the "CAS Server" sub module. The module doesn't allow an administrator to restrict which CAS clients are allowed authenticate with the Drupal C...

Open Atrium - Moderately Critical - Access Bypass - SA-CONTRIB-2016-003

Open Atrium allows you to control access via a hierarchy of public and private spaces and sub-spaces. If a public sub-space is created within a private parent-space, the content nodes of the public sub-space are accessible to users who are not members of the parent private space. This issue only...

RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002

The Redhen set of modules allows you to build a CRM features in a Drupal site. When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, these modules do not properly filter certain data before...

Field Group - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-001

Field Group module enables you to group fields on entity forms and entity displays. When adding a HTML element as group, the user has the option to add custom HTML attributes on the group. Via this option, a malicious user can embed scripts within the page, resulting in a Cross-site Scripting XSS...

Block Class - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-175

This module enables you to add custom classes to blocks. The module doesn't sufficiently scrub class names written by a malicious block class administrator. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer block classes". CVE identifier...

Values - Critical - Arbitrary PHP code execution - SA-CONTRIB-2015-172

This module enables you to create key|value pairs for use in list fields, webforms etc. The module includes an import page that runs eval on an exported code block ctools, but the permission for the page does not warn about security concerns of importing raw php code like this trusted permission...

Select2 Field Widget - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-173

Select2 Field Widget module enables you to use the select2 library for field widgets. The module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability XSS. CVE identifiers issued ACVE identifier will be requested, and added upon issuance,...

Open Atrium - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-174

Open Atrium distribution enables you to create an intranet. Open Atrium Core module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability XSS. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordanc...

RESTful - Less Critical - Access bypass - SA-CONTRIB-2015-167

RESTful module allows Drupal to be operated via RESTful HTTP requests, using best practices for security, performance, and usability. The module doesn't sufficiently validate some user input. Specific code could be run arbitrarily by an attacker in certain circumstances. This vulnerability is...

Mollom - Critical - Access bypass - SA-CONTRIB-2015-168

The Mollom module allows users to protect their website from spam. As part of the spam protection, Mollom enables the website administrator to create a blacklist. When content is submitted that matches terms on the black list it will be automatically marked as spam and rejected per the site...

Chat Room - Moderately Critical - Access Bypass - SA-CONTRIB-2015-169

Chat Room enables site owners to integrate chats into nodes by adding the chat room field to them. The module relies on a websocket connection to send chat messages to the client. The module doesn't sufficiently validate access before setting up the websocket. As a result, users may receive...

Token Insert Entity - Moderately Critical - Access bypass and information disclosure - SA-CONTRIB-2015-171

This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG normally the body of a node. There is a vulnerability because a user that can create or edit content and has the "insert entity token" permission can insert tokens relating to e.g. an unpublished node and all...

Apache Solr Search - Moderately Critical - Access Bypass - SA-CONTRIB-2015-170

This module enables you to connect to an Apache Solr search server to provide a replacement for Drupal core content search and provide both extra features and better search performance and relevance. The module doesn't correctly check access when attempting to delete non-default search...

Encrypt - Moderately Critical - Weak Encryption - SA-CONTRIB-2015-166

This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider. The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses depending on module usage. The default encryption method could...

UC Profile - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-165

UC Profile module enables you to collect profile fields for users during the checkout process of Ubercart as a checkout pane. The module doesn't sufficiently check access to profiles under certain circumstances. Depending on the information being collected, sensitive data may be exposed. This...

MAYO theme - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-164

MAYO theme enables you to change certain theme settings via the administration interface. Some theme settings aren't sufficiently sanitized. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers issued CVE-2015-8233...

Monster Menus - Access Bypass - Moderately Critical - SA-CONTRIB-2015-163

Monster Menus is a hierarchical menu tree, which provides highly scalable, granular permissions for all pages within a site. The module includes an option to remove nodes from view add them to a "recycle bin" rather than deleting them outright. When a node has been put into a bin using an affecte...

Login Disable - Access Bypass - Moderately Critical - SA-CONTRIB-2015-162

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module doesn't support other contributed user authentication modules like CAS or URL Login. When combined with...

Field as Block - Less Critical - Information Disclosure - SA-CONTRIB-2015-161

This module enables you to take a field from the current entity and place it elsewhere as a block. The module caches the block output in a manner that could allow sensitive content to be seen by visitors who should not see it. The problem will only occur when other modules alter field output base...

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-158

The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-004. Only sites with the Overlay module enabled are vulnerable. An incomplete fix for...

Webform CiviCRM Integration - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-160

Webform CiviCRM Integration allows you to add CiviCRM fields to a Drupal Webform. The module doesn't sufficiently escape user input. Some of the vulnerabilities are mitigated by the fact that an attacker must have a role with the permission to edit the webform node plus "access CiviCRM" to define...

LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-159

The LABjs module integrates LABjs with Drupal for web performance optimization. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-004. Only sites with the Overlay module enabled are vulnerable. An incomple...

Drupal Core - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004

The Overlay module in Drupal core displays administrative pages as a layer over the current page using JavaScript, rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect...

Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157

This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages. The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended. This...

Entity Registration - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-155

This module enables you to manage registrations for events. The module doesn't sufficiently protect information about who is registered to attend specific events when anonymous users are granted a permission that is commonly recommended when allowing anonymous registrations. This vulnerability is...

Colorbox - Access bypass - Less Critical - SA-CONTRIB-2015-156

This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal. The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site. This vulnerability is mitigated by the fac...