Stickynote - Cross Site Scripting (XSS) - Moderately Critical - SA-CONTRIB-2015-154

This module enables you to create notes on a page inside a block. The module doesn't sufficiently sanitize the note text on the admin listing page. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to create or edit a stickynote. CVE identifiers issue...

Taxonomy Find - Unsupported - SA-CONTRIB-2015-153

This module enables you to add a simple search interface to lookup taxonomy terms by name. The module doesn't sufficiently sanitize output of taxonomy vocabulary names and term names. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...

User Dashboard - SQL Injection - Critical - SA-CONTRIB-2015-152

Module contains SQL Injection vulnerabilities. CVE identifiers issued CVE-2015-7877 Versions affected userdashboard 7.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed UserDashboard module, there is nothing you need to do. Solution Install the latest...

Drupal 7 driver for SQL Server and SQL Azure - Moderately Critical - SQL Injection - SA-CONTRIB-2015-148

Drupal 7 driver for SQL Server and SQL Azure module has a SQL injection vulnerability. Certain characters aren't properly escaped by the Drupal database API. A malicious user may be able to access restricted information by performing a specially-crafted search. Only sites that use contrib or cust...

CMS Updater - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-150

CMS Updater allows to update Drupal core automatically with a subscription service. Access bypass The module does not sufficiently protect the settings page allowing any user with the permission "access administration pages" to change settings. This vulnerability is mitigated by the fact that an...

Scald - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-151

This module enables you to easily manage your media assets and re-use them in all your content. The module provided a "debug" context that gave access to all the atom properties, including all the fields attached to this atom, without applying the corresponding field restrictions. This...

amoCRM - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-149

This module enables you to integrate with amoCRM service using webhooks. The module does not sufficiently sanitize the logged data when malicious POST data is received. This vulnerability is mitigated by the fact that a module such "Database logging" dblog must be enabled which displays log...

Twitter - Moderately Critical - Access bypass - SA-CONTRIB-2015-146

This module enables you to pull in public tweets from Twitter accounts, post messages to Twitter to announce content changes, and authenticate using Twitter. The module doesn't sufficiently check for access when using the Twitter Post submodule to post messages to Twitter and allows a tweet to be...

RESTful - Moderately Critical - Access bypass - SA-CONTRIB-2015-147

This module enables you to expose your Drupal backend by generating a RESTful API. The module doesn't sufficiently account for core's page cache generation for anonymous users, when using non-cookie authentication providers. Authenticated users, via one of the authentication providers, can have...

Zendesk Feedback Tab - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-143

This module enables you to easily integrate the Zendesk Support Tab on your Drupal website. The module allows Javascript code to be embedded via its administration interface, allowing for the potential of cross-site scripting attacks. The module did not properly indicate that site administrators...

Fieldable Panels Panes - Less Critical - Access bypass - SA-CONTRIB-2015-145

Fieldable Panels Panes enables you to create custom panes for embedding in Panels-based displays Page Manager, Panelizer, Panels Everywhere via a fieldable custom entity type. The module doesn't sufficiently check for permission to edit existing Fieldable Panels Panes entities, thus allowing...

Mass Contact - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-144

This module allows anyone with permission to send a single message to multiple users of a site, using the site's roles and/or taxonomy functionality. The module doesn't sufficiently sanitize the category labels when they are displayed. This vulnerability is mitigated by the fact that an attacker...

Spotlight - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-142

The Spotlight module provides a tool that mimics Mac OS X Spotlight functionality. It provides faster access to content, paths and uploaded files. The module doesn't sufficiently sanitize node titles when displayed in results. This vulnerability is mitigated by the fact that an attacker must have...

Search API Autocomplete - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-140

This module enables you to add autocomplete suggestions for search forms created with the Search API module. The module doesn't sufficiently sanitize the HTML output for the returned suggestions, theoretically allowing an attacker to include custom HTML there. This vulnerability is mitigated by t...

Workbench Email - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2015-139

Workbench Email module provides a way for administrators to define email transitions and configurable email subject / messages between those transitions. The module causes node and field validations to be skipped when saving nodes. The vulnerability is mitigated by the fact that an attacker must...

Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141

Cross Site Scripting XSS Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Entityreference. Many features introduced in Drupal Core once lived in ctools. This vulnerability can be mitigated...

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003

This security advisory fixes multiple vulnerabilities. See below for a list. Cross-site Scripting - Ajax system - Drupal 7 A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax on a whitelisted HTML element. This vulnerability is...

Commerce Commonwealth (CBA) - Moderately Critical - Insufficient Verification of API Data - SA-CONTRIB-2015-136

This module enables you to pay for items on Drupal Commerce, using Commerce Commonwealth payment gateway. The module doesn't sufficiently validate the payment under certain specific scenarios. A malicious user can modify the urls used in gateway interaction with Commbank to make a failed payment...

Quick Edit - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-137

This module enables you to in-place edit entities' fields. The module doesn't sufficiently filter entity titles under the scenario where the user starts in-place editing an entity. The module also doesn't sufficiently filter node titles under the scenario where a node is displayed albeit only on...

Compass Rose - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-138

Compass Rose module provides a type of CCK field that allows to represent the most common orientations North, North-East, East, South-East, South, South-West, West and North-West. The module was embedding a JavaScript library from an external source that was not reliable, thereby exposing the sit...

Time Tracker - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-135

This module enables you to track time on entities and comments. The module doesn't sufficiently filter notes added to time entries, leading to an XSS/JavaScript injection vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Add Time...

OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134

The Open Semantic Framework OSF for Drupal is a middleware layer that allows structured data RDF and associated vocabularies ontologies to "drive" tailored tools and data displays within Drupal. The module is vulnerable to reflected Cross Site Scripting XSS because it did not sufficiently filter...

Path Breadcrumbs - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-133

This module enables you to configure breadcrumbs for any Drupal page. The module didn't sufficiently filter user input values the in administration interface. This vulnerability was mitigated by the fact that an attacker must have a role with the permission "Administer Path Breadcrumbs". CVE...

Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132

Administration Views module replaces overview/listing pages with actual views for superior usability. The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to. CVE identifiers issued CVE-2015-7226...

Views Bulk Operations - Moderately critical - Access Bypass - SA-CONTRIB-2015-131

The Views Bulk Operations module enables you to add bulk operations to administration views, executing actions on multiple selected rows. The module doesn't sufficiently guard user entities against unauthorized modification. If a user has access to a user account listing view with VBO enabled suc...

Migrate - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-130

This module enables you to manage migration processes through the administrative UI. The module doesn't sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by the fact that an attacker must have a role with...

me aliases - Moderately Critical - Access Bypass - SA-CONTRIB-2015-128

'me aliases' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The view user argument handler for the 'me' module has an access bypass vulnerability where it does not check the supplied argument against the current user. This allows any use...

Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129

Shibboleth authentication module allows users to log in and get permissions based on federated SAML2 authentication. The module didn't filter the text that is displayed as a login link. This vulnerability was mitigated by the fact that an attacker must have a role with the permission Administer...

HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module allows account creation through social login when the configuration is set to allow user registration by...

Inline Entity Form - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-120

The Inline Entity Form module provides a field widget for inline management creation, modification, removal of referenced entities. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that ...

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002

Impersonation OpenID module - Drupal 6 and 7 - Critical A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. This vulnerability is mitigated by the fact that the victim must have an...

The eXtensible Catalog (XC) Drupal Toolkit - Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-121

The eXtensible Catalog Drupal Toolkit is a set of Drupal modules to harvest records of the XC Schema format from a Metadata Services Toolkit MST. The XC NCIP Provider module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "administer ncip providers"...

HTTP Strict Transport Security - Moderately Critical - Logical Error - SA-CONTRIB-2015-118

The contributed HSTS module makes it easy for site administrators to implement HTTP Strict Transport Security HSTS by setting the Strict-Transport-Security header on each page generated by Drupal. HSTS module provides a configuration UI for the HSTS "include subdomains" directive, which indicates...

Content Construction Kit (CCK) - Less Critical - Open Redirect - SA-CONTRIB-2015-126

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. CCK uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain...

LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-124

The LABjs module integrates LABjs with Drupal for web performance optimization. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-002. Only sites with the Overlay module enabled are vulnerable. CVE...

Acquia Cloud Site Factory Connector - Less Critical - Open Redirect - SA-CONTRIB-2015-125

Acquia Cloud Site Factory provides an environment and a robust set of tools that simplify management of many Drupal sites, allowing you to quickly deliver and manage any number of websites. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an ope...

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123

The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-002. Only sites with the Overlay module enabled are vulnerable. CVE identifiers issued...

Apache Solr Real-Time - Critical - Access Bypass - SA-CONTRIB-2015-119

This module allows content-changes to be committed to Apache Solr in real-time. The module doesn't check the status of an entity being indexed which means that unpublished content will get indexed by Solr and the title and partial content may be exposed to any user who has permission to search si...

Administration Views - Moderately Critical - Access Bypass - SA-CONTRIB-2015-122

This module replaces administrative overview/listing pages with Views for improved usability. When combined with other contributed or custom modules, the Administration Views module improperly grants users access to administration pages including the permissions page. This vulnerability is...

Novalnet Payment Module Ubercart - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-116

This module enables you add the Novalnet payment service provider to Ubercart. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploi...

Novalnet Payment Module Drupal Commerce - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-117

This module enables you add the Novalnet payment service provider to Drupal Commerce. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can...

Chamilo integration - Less Critical - Open Redirect - SA-CONTRIB-2015-115

Chamilo integration module integrates Drupal with Chamilo LMS. The module has an Open Redirect vulnerability, it doesn't sufficiently check passed parameters in the URL. An attacker could trick users to visit malicious sites without realizing it. CVE identifiers issued CVE-2015-5503 Versions...

Storage API - Moderately Critical - Access Bypass - SA-CONTRIB-2015-114

The Storage API module creates an underlying agnostic storage layer for Drupal using many different underlying storage methods. Storage API can be used to create fields for entities to hold data. The module failed to restrict access to the Storage API fields attached to entities that are not node...

Shipwire - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111

The Shipwire API module handles communication with the Shipwire shipping service. The Shipwire module doesn't check view permission for the shipments overview page when installed admin/shipwire/shipments. Limited non-public information is displayed on the page. CVE identifiers issued CVE-2015-549...

pass2pdf - Critical - Information Disclosure - Unsupported - SA-CONTRIB-2015-109

This module allows you to let users set a password upon registering, and have the password emailed to the user in a PDF file. The module has an Information Disclosure vulnerability. The generated PDF files are not protected. The user passwords are exposed to anonymous users. CVE identifiers issue...

Web Links - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110

The Web Links module provides a comprehensive way to manage url links to other websites. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permissio...

Mobile sliding menu - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-108

The mobile sliding menu module integrates the mmenu jQuery plugin for creating slick, app look-alike sliding menus for your mobile website. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...

Webform Matrix Component - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-107

The Webform Matrix Component module is an extension of the Webform module that adds Matrix and Table components. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must ha...

Dynamic display block - Less Critical - Access bypass - SA-CONTRIB-2015-104

This module enables you to showcase featured content at a prominent place on the front page of the site in an attractive way. The module doesn't sufficiently protect access to content a user has no access to. In certain scenarios a user with the "administer ddblock" permission can see titles of...

Video Consultation - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-105

Video Consultation module integrates VideoWhisper Video Consultation software with Drupal. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-5492 Versions affected All versions of Video Consultation...