Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2016/11/02 12:0 a.m.12 views

Menu Views - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-055

This module enables users to create menu items that render views instead of links. This is useful for creating "mega-menus". The module doesn't sufficiently filter title and breadcrumb fields for possible cross-site scripting. This vulnerability is mitigated by the fact that an attacker must have...

6.9AI score
Exploits0References10
Drupal
Drupal
added 2016/11/02 12:0 a.m.17 views

Workbench Moderation - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-060

This module enables you to create and manage custom editorial workflows around a site's content. The module could result in unpublished content being temporarily made visible via content lists, e.g. as generated by Views, when its editorial status was being changed, e.g. from "draft" to "needs...

7AI score
Exploits0References15
Drupal
Drupal
added 2016/11/02 12:0 a.m.15 views

Like/Dislike - Critical - Cross Site Request Forgery - SA-CONTRIB-2016-056

Cross Site Request Forgery Like/Dislike module can be used to Like and Dislike actions on any content. It is powered by Drupal field concept. The module does not verify user intent on like/dislike links thereby exposing a Cross Site Request Forgery CSRF vulnerability. CVE identifiers issued ACVE...

7.3AI score
Exploits0References10
Drupal
Drupal
added 2016/10/26 12:0 a.m.11 views

Tripal BLAST UI - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-054

This module enables you to run NCBI BLAST jobs on the host system. The module doesn't sufficiently validate advanced options available to users submitting BLAST jobs, thereby exposing the ability to enter a short snippet of shell code that will be executed when the BLAST job is run. This...

7.2AI score
Exploits0References12
Drupal
Drupal
added 2016/10/19 12:0 a.m.15 views

Webform - Less Critical - Access Bypass - SA-CONTRIB-2016-053

This module provides a user interface to create and configure forms called Webforms. When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules. The vulnerability is mitigated by the fact that...

7AI score
Exploits0References14
Drupal
Drupal
added 2016/10/12 12:0 a.m.24 views

Elysia Cron - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-052

This module enables you to manage cron jobs. The module doesn't sufficiently sanitize the cron rules which are entered into "Predefined rules" field thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.6AI score
Exploits0References13
Drupal
Drupal
added 2016/09/21 12:0 a.m.642 views

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004

Users without "Administer comments" can set comment visibility on nodes they can edit. Less critical Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission. Cross-site Scripting in http...

6.1CVSS5.1AI score0.01716EPSS
Exploits0References23
Drupal
Drupal
added 2016/09/07 12:0 a.m.14 views

Flag Lists - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-051

This module enables regular users to create unlimited private flags called lists. The flaglists module doesn't sufficiently filter the output when applying token strings to flaglists links leading to a persistent Cross Site Scripting XSS attack. This vulnerability is mitigated by the fact that an...

6.2AI score
Exploits0References12
Drupal
Drupal
added 2016/08/31 12:0 a.m.17 views

Flag - Moderately Critical - Access Bypass - SA-CONTRIB-2016-050

Flag enables users to mark content with any number of admin-defined flags, such as 'bookmarks' or 'spam'. Flag Bookmark is a submodule within Flag, which provides a 'bookmarks' flag, and default views to list bookmarked content. The provided view that lists each user's bookmarked content as a tab...

6.8AI score
Exploits0References14
Drupal
Drupal
added 2016/08/24 12:0 a.m.16 views

Workbench Scheduler - Moderately Critical - Access Bypass - SA-CONTRIB-2016-049

Workbench Scheduler module provides users with the ability to create schedules that change moderated content from one workbench moderation state to another. An authenticated user could add a schedule to a node even when that content type has schedules disabled. The vulnerability is mitigated by t...

6.8AI score
Exploits0References12
Drupal
Drupal
added 2016/08/17 12:0 a.m.10 views

Hosting - Less Critical - Access bypass - SA-CONTRIB-2016-046

The Hosting module is a core component of the Aegir Hosting System. This install profile, and accompanying suite of modules, is a hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites. The Hosting module does not sufficiently control access to any cust...

7.2AI score
Exploits0References12
Drupal
Drupal
added 2016/08/17 12:0 a.m.11 views

Panels - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-047

Panels does not check access on some routes Critical Panels allows users with certain permissions to modify the layout and panel panes on pages or entities utilizing panels. Much of the functionality to modify these panels rely on backend routes that call administrative forms. These forms did not...

6.8AI score
Exploits0References16
Drupal
Drupal
added 2016/08/10 12:0 a.m.17 views

Piwik - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-043

This module enables you to add integration with Piwik statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is mitigated by the...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/08/10 12:0 a.m.18 views

Require Login - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2016-045

This module enables you to restrict site access without using user roles or permissions. The module does not sufficiently escape some of its settings, and, in some cases, allows malicious users to bypass the protection offered by Require Login. CVE identifiers issued ACVE identifier will be...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/08/10 12:0 a.m.14 views

OAuth2 Client- Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2016-044

This module provides an OAuth2 client. The module does not check the validity of the state parameter, during server-side flow, before getting a token. This may allow a malicious user to feed a fake accesstoken to another user, and subsequently provide him fake data from the server. This page...

7AI score
Exploits0References13
Drupal
Drupal
added 2016/08/10 12:0 a.m.13 views

Google Analytics - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2016-042

This module enables you to add integration with Google Analytics statistics service. The module allows admin users to enter custom JavaScript snippets to add advanced tracking functionality. The permission required to enter this JavaScript was not marked as restricted. This vulnerability is...

7AI score
Exploits0References13
Drupal
Drupal
added 2016/08/03 12:0 a.m.13 views

Administration Views - Critical - Access bypass - SA-CONTRIB-2016-041

Administration Views module replaces overview/listing pages with actual views for superior usability. The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to. CVE identifiers issued ACVE identifier...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2016/07/13 12:0 a.m.17 views

Webform Multiple File Upload - Critical - Remote Code Execution - SA-CONTRIB-2016-038

The Webform Multiple File Upload module allows users to upload multiple files on a Webform. The Webform Multifile File Upload module contains a Remote Code Execution RCE vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution...

8.3AI score
Exploits0References13
Drupal
Drupal
added 2016/07/13 12:0 a.m.9 views

RESTWS - Highly critical - Remote code execution - SA-CONTRIB-2016-040

This module enables you to expose Drupal entities as RESTful web services. RESTWS alters the default page callbacks for entities to provide additional functionality. A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution. There...

7.3AI score
Exploits0References12
Drupal
Drupal
added 2016/07/13 12:0 a.m.56 views

Coder - Highly Critical - Remote Code Execution - SA-CONTRIB-2016-039

The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules. The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticat...

7.9AI score
Exploits0References16
Drupal
Drupal
added 2016/07/06 12:0 a.m.17 views

Instagram Block - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-037

This module enables you to authenticate with Instagram's API via an intermediary service instagram.yanniboi.com. The module doesn't sufficiently advise that your authentication tokens could be intercepted. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in...

7.3AI score
Exploits0References11
Drupal
Drupal
added 2016/06/15 12:0 a.m.650 views

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-002

Saving user accounts can sometimes grant the user all roles User module - Drupal 7 - Moderately Critical A vulnerability exists in the User module, where if some specific contributed or custom code triggers a rebuild of the user profile form, a registered user can be granted all user roles on the...

5.3CVSS6.5AI score0.02212EPSS
Exploits0References24
Drupal
Drupal
added 2016/06/15 12:0 a.m.30 views

Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view. This issue is mitigated by the fact that the view must be configured to show a "Content...

5.3CVSS5.3AI score0.02212EPSS
Exploits0References18
Drupal
Drupal
added 2016/06/08 12:0 a.m.11 views

Outline Designer - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-035

This module enables you to mass administer book outlines and perform common operations through one interface, improving the usability for the book module. The module doesn't sufficiently sanitize titles when presenting them on this interface. This vulnerability is mitigated by the fact that an...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/06/08 12:0 a.m.14 views

Page Manager Search - Moderately Critical - Information disclosure - SA-CONTRIB-2016-032

This module enables you to make Panels pages and other pages managed by CTools' Page Manager submodule indexible and searchable through the standard Search module provided in Drupal core. The module doesn't block access to Page Manager pages which have been disabled. CVE identifiers issued ACVE...

7.2AI score
Exploits0References12
Drupal
Drupal
added 2016/06/08 12:0 a.m.14 views

REST JSON - Multiple Vulnerabilities - Highly Critical - Unsupported - SA-CONTRIB-2016-033

This module enables you to expose content, users and comments via a JSON API. The module contains multiple vulnerabilities including Node access bypass Comment access bypass User enumeration Field access bypass User registration bypass Blocked user login Session name guessing Session enumeration...

7.3AI score
Exploits0References10
Drupal
Drupal
added 2016/06/08 12:0 a.m.12 views

Node Embed - Less critical - Denial of Service - SA-CONTRIB-2016-034

This module enables you to embed the contents of one node in the body field of another. The module doesn't sufficiently protect against a node being embedded in itself, or a loop being created of one node being embedded in another which is then itself embedded in the first node. This vulnerabilit...

6.9AI score
Exploits0References10
Drupal
Drupal
added 2016/06/01 12:0 a.m.17 views

Opening hours - Moderately Critical - XSS - SA-CONTRIB-2016-031

This module enables you to enter opening hours for locations in a highly detailed way. The module doesn't sufficiently escape input data from user input. This vulnerability is mitigated by the fact that an attacker must be able to edit opening hours by having a role with the permission “Edit...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/05/25 12:0 a.m.18 views

XML Sitemap - Moderately Critical - XSS - SA-CONTRIB-2016-030

The XML Sitemap module enables you to create sitemaps which help search engines to more intelligently crawl a website and keep their results up to date. The module doesn't sufficiently filter the URL when it is displayed in the sitemap. This vulnerability is mitigated if the setting for "Include ...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2016/05/18 12:0 a.m.13 views

Registration Codes - Less Critical - Input Validation Vulnerability - SA-CONTRIB-028

This module enables you to allow users to enter a special registration code in order to sign up for the site. The module doesn't sufficiently validate the entered registration code CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Securit...

7.2AI score
Exploits0References12
Drupal
Drupal
added 2016/05/18 12:0 a.m.13 views

Dropbox client - Multiple Vulnerabilities - SA-CONTRIB-2016-027

This module enables you to view dropbox files in your Drupal site. The module doesn't sufficiently sanitize filenames when displaying them to users or administrators leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to...

5.2AI score
Exploits0References11
Drupal
Drupal
added 2016/05/04 12:0 a.m.10 views

Open Atrium Notifications - Less Critical - Information Disclosure - SA-CONTRIB-2016-026

Open Atrium is a distribution of Drupal that allows you to build collaborative web sites. The Open Atrium Notification module adds the ability to send email notifications to users subscribed to certain content. When combined with the Open Atrium Mailhandler app, incoming email replies to...

7AI score
Exploits0References9
Drupal
Drupal
added 2016/05/04 12:0 a.m.12 views

Fieldable Panels Panes - Moderately Critical - XSS - SA-CONTRIB-2016-025

This module enables you to create fieldable entities that have special integration with Panels. The module doesn't sufficiently filter the entity title or admin title fields when they are displayed in either the Panels admin UI or the In-Place Editor IPE, allowing for specially crafted XSS attack...

6.1AI score
Exploits0References12
Drupal
Drupal
added 2016/04/20 12:0 a.m.13 views

Organic groups - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2016-023

This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate among themselves. Selective groups require approval in order to become a member, or even invitation-only groups. Under the certain fiel...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/04/20 12:0 a.m.11 views

Search API - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-022

This module enables you to build searches using a wide range of features, data sources and backends. Search index not updated by node access changes The module doesn't sufficiently re-index nodes when using the "Node access" or "Access check" data alterations and non-standard ways of changing nod...

6.1AI score
Exploits0References10
Drupal
Drupal
added 2016/04/13 12:0 a.m.14 views

Features - Less Critical - Denial of Service (DoS) - SA-CONTRIB-2016-020

This module enables you to organize and export configuration data. The module doesn't sufficiently protect the admin/structure/features/cleanup path with a token. If an attacker can trick an admin with the "manage features" permission to request a special URL, it could lead to clearing the cache...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/04/13 12:0 a.m.15 views

Boost - Moderately Critical - Information Disclosure - SA-CONTRIB-2016-021

This module provides static page caching for Drupal enabling a very significant performance and scalability boost for sites that receive mostly anonymous traffic. The module doesn't prevent form cache from leaking between anonymous users which could result in information disclosure, where one use...

6.7AI score
Exploits0References13
Drupal
Drupal
added 2016/04/06 12:0 a.m.11 views

HybridAuth - Less critical - Multiple vulnerabilities - SA-CONTRIB-2016-018

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. Open redirect The module doesn't verify the "destination" redirect after a login to be a non-external URL causing an ope...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2016/04/06 12:0 a.m.10 views

Drupal Commerce - Less Critical - Information disclosure - SA-CONTRIB-2016-019

This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field's autocomplete widget. As you type in the textfield, the...

7AI score
Exploits0References13
Drupal
Drupal
added 2016/03/23 12:0 a.m.10 views

Login one time - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-017

The Login one time module provides the ability to email one-time login links to users. The module doesn't sufficiently sanitize user input supplied to an ajax callback function. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2016/03/16 12:0 a.m.19 views

Fast Autocomplete - Critical - DOS vulnerability - SA-CONTRIB-2016-016

This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to "cache" suggestions making the autocomplete very fast. The module doesn't sufficiently validate the incoming language parameter in the request path when a json file of the module is...

7.1AI score
Exploits0References14
Drupal
Drupal
added 2016/03/09 12:0 a.m.12 views

Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015

When a PDF is uploaded in Scald File, various tools can be executed if they're installed on the server, to try to generate a thumbnail out of that PDF. This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creati...

7.2AI score
Exploits0References10
Drupal
Drupal
added 2016/03/02 12:0 a.m.17 views

Hubspot CTA - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-012 - Unsupported

This module enables you to embed a Hubspot CTA buttons widget in a Bean block. The module allows configuration of a CTA ID and Account ID while adding a bean block for a CTA button, but doesn't sufficiently sanitise these parameters, allowing a potential cross-site scripting attack. This...

6.5AI score
Exploits0References11
Drupal
Drupal
added 2016/03/02 12:0 a.m.17 views

Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011

The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly coun...

7AI score
Exploits0References12
Drupal
Drupal
added 2016/03/02 12:0 a.m.27 views

Prepopulate - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-009

The Prepopulate module allows form fields to be pre-populated in the request. The Prepopulate module does not adequately prevent a user from overwriting arbitrary parts of $REQUEST. It also does not prevent pre-populating certain fields that are not displayed or manipulating markup fields to alte...

7.5CVSS7.1AI score0.01862EPSS
Exploits0References10
Drupal
Drupal
added 2016/03/02 12:0 a.m.15 views

USASearch - Moderately Critical - Access Bypass - SA-CONTRIB-2016-010

This module indexes public content using USASearch, a program of the General Services Administration’s Office of Citizen Services and Information Technology OCSIT, which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search o...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2016/03/02 12:0 a.m.14 views

Fieldable Panels Panes - Moderately Critical - Access Bypass - SA-CONTRIB-2016-014

This module enables you to create fieldable entities that have special integration with Panels. The module doesn't check access permissions on a file when it is attached to a field on a Fieldable Panels Panes entity that has been made private and where the file field is set to store files using t...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2016/03/02 12:0 a.m.13 views

Node Notify - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-013

Node Notify is a lightweight module to allow subscription to comments on nodes for registered and anonymous users. The module doesn't sufficiently sanitize some user provided content, leading to a Cross Site Scripting vulnerability. Additionally, some paths were not protected against CSRF. An...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2016/02/24 12:0 a.m.11 views

FileField - Denial of Service - SA-CONTRIB-2016-008

FileField module allows users to upload files in conjunction with the Content Construction Kit CCK module in Drupal 6. The module doesn't validate that a request to delete a temporary file was made by the user who uploaded the file. An attacker can use this vulnerability to delete other user's fi...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/02/24 12:0 a.m.630 views

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001

File upload access bypass and denial of service File module - Drupal 7 and 8 - Moderately Critical A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted...

8.5CVSS7.7AI score0.0319EPSS
Exploits0References50
Total number of security vulnerabilities1940