Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2016/02/17 12:0 a.m.15 views

Nodejs - Access bypass - Moderately Critical -- DRUPAL-SA-CONTRIB-2016-007

This module provides an API that other modules can use to add realtime capabilities to Drupal, specifically enabling pushing updates to open connected clients. The module doesn't disconnect unauthenticated sockets, allowing those sockets to receive broadcast messages. For sites that only serve...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/02/17 12:0 a.m.9 views

Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass - DRUPAL-SA-CONTRIB-2016-006

This module enables you to make credit card payments for Drupal Commerce orders via the Authorize.Net payment gateway using either their SIM hosted payment page or DPM direct post method mechanisms. The module doesn't sufficiently protect against the premature triggering of order completion witho...

7AI score
Exploits0References11
Drupal
Drupal
added 2016/02/10 12:0 a.m.14 views

Embedded Media Field - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2016-004

This module enables you to to display video, image, and audio files from various third party providers The module doesn't sufficiently sanitize path arguments under certain scenarios. This vulnerability is mitigated by the fact that an attacker must be able to trick an administrator into visiting...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2016/02/10 12:0 a.m.14 views

CAS - Moderately Critical - Information Disclosure - DRUPAL-SA-CONTRIB-2016-005

This module enables you to use your Drupal site as a client or server for the single sign on protocol CAS. This vulnerability only affects sites that use the "CAS Server" sub module. The module doesn't allow an administrator to restrict which CAS clients are allowed authenticate with the Drupal C...

6.7AI score
Exploits0References14
Drupal
Drupal
added 2016/01/27 12:0 a.m.15 views

Open Atrium - Moderately Critical - Access Bypass - SA-CONTRIB-2016-003

Open Atrium allows you to control access via a hierarchy of public and private spaces and sub-spaces. If a public sub-space is created within a private parent-space, the content nodes of the public sub-space are accessible to users who are not members of the parent private space. This issue only...

7AI score
Exploits0References13
Drupal
Drupal
added 2016/01/13 12:0 a.m.16 views

RedHen CRM - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-002

The Redhen set of modules allows you to build a CRM features in a Drupal site. When rendering individual Contacts, this module does not properly filter the certain data prior to display. When rendering listing of notes or engagement scores, these modules do not properly filter certain data before...

5.4CVSS5.4AI score0.00615EPSS
Exploits0References11
Drupal
Drupal
added 2016/01/06 12:0 a.m.19 views

Field Group - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-001

Field Group module enables you to group fields on entity forms and entity displays. When adding a HTML element as group, the user has the option to add custom HTML attributes on the group. Via this option, a malicious user can embed scripts within the page, resulting in a Cross-site Scripting XSS...

6.1CVSS6AI score0.00619EPSS
Exploits0References10
Drupal
Drupal
added 2015/12/16 12:0 a.m.12 views

Open Atrium - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-174

Open Atrium distribution enables you to create an intranet. Open Atrium Core module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability XSS. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordanc...

6.7AI score
Exploits0References16
Drupal
Drupal
added 2015/12/16 12:0 a.m.15 views

Select2 Field Widget - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-173

Select2 Field Widget module enables you to use the select2 library for field widgets. The module doesn't sufficiently sanitize some user supplied text, leading to a reflected Cross Site Scripting vulnerability XSS. CVE identifiers issued ACVE identifier will be requested, and added upon issuance,...

6.7AI score
Exploits0References14
Drupal
Drupal
added 2015/12/16 12:0 a.m.25 views

Values - Critical - Arbitrary PHP code execution - SA-CONTRIB-2015-172

This module enables you to create key|value pairs for use in list fields, webforms etc. The module includes an import page that runs eval on an exported code block ctools, but the permission for the page does not warn about security concerns of importing raw php code like this trusted permission...

9CVSS9.2AI score0.01481EPSS
Exploits0References11
Drupal
Drupal
added 2015/12/16 12:0 a.m.22 views

Block Class - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-175

This module enables you to add custom classes to blocks. The module doesn't sufficiently scrub class names written by a malicious block class administrator. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer block classes". CVE identifier...

5.4CVSS5.2AI score0.01116EPSS
Exploits0References11
Drupal
Drupal
added 2015/12/02 12:0 a.m.17 views

Apache Solr Search - Moderately Critical - Access Bypass - SA-CONTRIB-2015-170

This module enables you to connect to an Apache Solr search server to provide a replacement for Drupal core content search and provide both extra features and better search performance and relevance. The module doesn't correctly check access when attempting to delete non-default search...

7AI score
Exploits0References13
Drupal
Drupal
added 2015/12/02 12:0 a.m.28 views

Chat Room - Moderately Critical - Access Bypass - SA-CONTRIB-2015-169

Chat Room enables site owners to integrate chats into nodes by adding the chat room field to them. The module relies on a websocket connection to send chat messages to the client. The module doesn't sufficiently validate access before setting up the websocket. As a result, users may receive...

5CVSS6.3AI score0.01233EPSS
Exploits0References10
Drupal
Drupal
added 2015/12/02 12:0 a.m.15 views

Mollom - Critical - Access bypass - SA-CONTRIB-2015-168

The Mollom module allows users to protect their website from spam. As part of the spam protection, Mollom enables the website administrator to create a blacklist. When content is submitted that matches terms on the black list it will be automatically marked as spam and rejected per the site...

7.5CVSS7.5AI score0.01291EPSS
Exploits0References10
Drupal
Drupal
added 2015/12/02 12:0 a.m.18 views

Token Insert Entity - Moderately Critical - Access bypass and information disclosure - SA-CONTRIB-2015-171

This module offers a WYSIWYG button to embed rendered entities in fields using a WYSIWYG normally the body of a node. There is a vulnerability because a user that can create or edit content and has the "insert entity token" permission can insert tokens relating to e.g. an unpublished node and all...

3.5CVSS6.4AI score0.00906EPSS
Exploits0References11
Drupal
Drupal
added 2015/12/02 12:0 a.m.16 views

RESTful - Less Critical - Access bypass - SA-CONTRIB-2015-167

RESTful module allows Drupal to be operated via RESTful HTTP requests, using best practices for security, performance, and usability. The module doesn't sufficiently validate some user input. Specific code could be run arbitrarily by an attacker in certain circumstances. This vulnerability is...

7.2AI score
Exploits0References11
Drupal
Drupal
added 2015/11/18 12:0 a.m.17 views

Encrypt - Moderately Critical - Weak Encryption - SA-CONTRIB-2015-166

This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider. The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses depending on module usage. The default encryption method could...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2015/11/11 12:0 a.m.26 views

UC Profile - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-165

UC Profile module enables you to collect profile fields for users during the checkout process of Ubercart as a checkout pane. The module doesn't sufficiently check access to profiles under certain circumstances. Depending on the information being collected, sensitive data may be exposed. This...

4.3CVSS6.1AI score0.01087EPSS
Exploits0References11
Drupal
Drupal
added 2015/11/11 12:0 a.m.23 views

MAYO theme - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-164

MAYO theme enables you to change certain theme settings via the administration interface. Some theme settings aren't sufficiently sanitized. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers issued CVE-2015-8233...

2.6CVSS6.4AI score0.01316EPSS
Exploits0References10
Drupal
Drupal
added 2015/11/04 12:0 a.m.14 views

Monster Menus - Access Bypass - Moderately Critical - SA-CONTRIB-2015-163

Monster Menus is a hierarchical menu tree, which provides highly scalable, granular permissions for all pages within a site. The module includes an option to remove nodes from view add them to a "recycle bin" rather than deleting them outright. When a node has been put into a bin using an affecte...

5CVSS6.2AI score0.01196EPSS
Exploits0References9
Drupal
Drupal
added 2015/11/04 12:0 a.m.25 views

Login Disable - Access Bypass - Moderately Critical - SA-CONTRIB-2015-162

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module doesn't support other contributed user authentication modules like CAS or URL Login. When combined with...

7.5CVSS6.4AI score0.01645EPSS
Exploits0References8
Drupal
Drupal
added 2015/10/28 12:0 a.m.18 views

Field as Block - Less Critical - Information Disclosure - SA-CONTRIB-2015-161

This module enables you to take a field from the current entity and place it elsewhere as a block. The module caches the block output in a manner that could allow sensitive content to be seen by visitors who should not see it. The problem will only occur when other modules alter field output base...

5CVSS6.2AI score0.01196EPSS
Exploits0References11
Drupal
Drupal
added 2015/10/21 12:0 a.m.26 views

LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-159

The LABjs module integrates LABjs with Drupal for web performance optimization. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-004. Only sites with the Overlay module enabled are vulnerable. An incomple...

6.1CVSS6.1AI score0.01774EPSS
Exploits0References14
Drupal
Drupal
added 2015/10/21 12:0 a.m.648 views

Drupal Core - Overlay - Less Critical - Open Redirect - SA-CORE-2015-004

The Overlay module in Drupal core displays administrative pages as a layer over the current page using JavaScript, rather than replacing the page in the browser window. The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect...

6.1CVSS6AI score0.01774EPSS
Exploits0References11
Drupal
Drupal
added 2015/10/21 12:0 a.m.16 views

Webform CiviCRM Integration - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-160

Webform CiviCRM Integration allows you to add CiviCRM fields to a Drupal Webform. The module doesn't sufficiently escape user input. Some of the vulnerabilities are mitigated by the fact that an attacker must have a role with the permission to edit the webform node plus "access CiviCRM" to define...

7.2AI score
Exploits0References13
Drupal
Drupal
added 2015/10/21 12:0 a.m.27 views

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-158

The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-004. Only sites with the Overlay module enabled are vulnerable. An incomplete fix for...

6.1CVSS6.1AI score0.01774EPSS
Exploits0References13
Drupal
Drupal
added 2015/10/14 12:0 a.m.12 views

Twilio - Moderately Critical - Access bypass - SA-CONTRIB-2015-157

This module provides hooks and rules integration to leverage the Twilio API to send/receive phone calls and text messages. The module relies on existing permissions for providing administration which can lead to untrusted users having access to perform actions that may not be intended. This...

6.9AI score
Exploits0References13
Drupal
Drupal
added 2015/10/07 12:0 a.m.16 views

Stickynote - Cross Site Scripting (XSS) - Moderately Critical - SA-CONTRIB-2015-154

This module enables you to create notes on a page inside a block. The module doesn't sufficiently sanitize the note text on the admin listing page. This vulnerability is mitigated by the fact that an attacker must have a role with a permission to create or edit a stickynote. CVE identifiers issue...

5.4CVSS5.4AI score0.00887EPSS
Exploits0References10
Drupal
Drupal
added 2015/10/07 12:0 a.m.26 views

Entity Registration - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-155

This module enables you to manage registrations for events. The module doesn't sufficiently protect information about who is registered to attend specific events when anonymous users are granted a permission that is commonly recommended when allowing anonymous registrations. This vulnerability is...

4.3CVSS4.5AI score0.01392EPSS
Exploits0References11
Drupal
Drupal
added 2015/10/07 12:0 a.m.21 views

Colorbox - Access bypass - Less Critical - SA-CONTRIB-2015-156

This module allows for integration of Colorbox, a jQuery lightbox plugin, into Drupal. The module allows unprivileged users to add unexpected content to a Colorbox, including content from external sites. This allows an unprivileged user to deface a site. This vulnerability is mitigated by the fac...

3.5CVSS6.2AI score0.00866EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/30 12:0 a.m.17 views

Taxonomy Find - Unsupported - SA-CONTRIB-2015-153

This module enables you to add a simple search interface to lookup taxonomy terms by name. The module doesn't sufficiently sanitize output of taxonomy vocabulary names and term names. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer...

5.4CVSS5.4AI score0.00609EPSS
Exploits0References9
Drupal
Drupal
added 2015/09/30 12:0 a.m.16 views

User Dashboard - SQL Injection - Critical - SA-CONTRIB-2015-152

Module contains SQL Injection vulnerabilities. CVE identifiers issued CVE-2015-7877 Versions affected userdashboard 7.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed UserDashboard module, there is nothing you need to do. Solution Install the latest...

9.8CVSS10AI score0.01349EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/16 12:0 a.m.29 views

Scald - Moderately Critical - Information Disclosure - SA-CONTRIB-2015-151

This module enables you to easily manage your media assets and re-use them in all your content. The module provided a "debug" context that gave access to all the atom properties, including all the fields attached to this atom, without applying the corresponding field restrictions. This...

5CVSS6.3AI score0.01196EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/16 12:0 a.m.18 views

amoCRM - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-149

This module enables you to integrate with amoCRM service using webhooks. The module does not sufficiently sanitize the logged data when malicious POST data is received. This vulnerability is mitigated by the fact that a module such "Database logging" dblog must be enabled which displays log...

2.6CVSS6.2AI score0.00913EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/16 12:0 a.m.19 views

CMS Updater - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-150

CMS Updater allows to update Drupal core automatically with a subscription service. Access bypass The module does not sufficiently protect the settings page allowing any user with the permission "access administration pages" to change settings. This vulnerability is mitigated by the fact that an...

4.9CVSS5.4AI score0.0095EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/16 12:0 a.m.30 views

Drupal 7 driver for SQL Server and SQL Azure - Moderately Critical - SQL Injection - SA-CONTRIB-2015-148

Drupal 7 driver for SQL Server and SQL Azure module has a SQL injection vulnerability. Certain characters aren't properly escaped by the Drupal database API. A malicious user may be able to access restricted information by performing a specially-crafted search. Only sites that use contrib or cust...

7.5CVSS7AI score0.02482EPSS
Exploits0References11
Drupal
Drupal
added 2015/09/09 12:0 a.m.17 views

RESTful - Moderately Critical - Access bypass - SA-CONTRIB-2015-147

This module enables you to expose your Drupal backend by generating a RESTful API. The module doesn't sufficiently account for core's page cache generation for anonymous users, when using non-cookie authentication providers. Authenticated users, via one of the authentication providers, can have...

5CVSS6.4AI score0.01276EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/09 12:0 a.m.20 views

Twitter - Moderately Critical - Access bypass - SA-CONTRIB-2015-146

This module enables you to pull in public tweets from Twitter accounts, post messages to Twitter to announce content changes, and authenticate using Twitter. The module doesn't sufficiently check for access when using the Twitter Post submodule to post messages to Twitter and allows a tweet to be...

3.5CVSS6.2AI score0.00981EPSS
Exploits0References22
Drupal
Drupal
added 2015/09/02 12:0 a.m.24 views

Zendesk Feedback Tab - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-143

This module enables you to easily integrate the Zendesk Support Tab on your Drupal website. The module allows Javascript code to be embedded via its administration interface, allowing for the potential of cross-site scripting attacks. The module did not properly indicate that site administrators...

2.6CVSS5.9AI score0.0075EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/02 12:0 a.m.17 views

Fieldable Panels Panes - Less Critical - Access bypass - SA-CONTRIB-2015-145

Fieldable Panels Panes enables you to create custom panes for embedding in Panels-based displays Page Manager, Panelizer, Panels Everywhere via a fieldable custom entity type. The module doesn't sufficiently check for permission to edit existing Fieldable Panels Panes entities, thus allowing...

3.5CVSS6.3AI score0.00787EPSS
Exploits0References11
Drupal
Drupal
added 2015/09/02 12:0 a.m.24 views

Mass Contact - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-144

This module allows anyone with permission to send a single message to multiple users of a site, using the site's roles and/or taxonomy functionality. The module doesn't sufficiently sanitize the category labels when they are displayed. This vulnerability is mitigated by the fact that an attacker...

2.1CVSS6.3AI score0.00949EPSS
Exploits0References10
Drupal
Drupal
added 2015/09/01 12:0 a.m.26 views

Spotlight - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2015-142

The Spotlight module provides a tool that mimics Mac OS X Spotlight functionality. It provides faster access to content, paths and uploaded files. The module doesn't sufficiently sanitize node titles when displayed in results. This vulnerability is mitigated by the fact that an attacker must have...

3.5CVSS6.3AI score0.00774EPSS
Exploits0References9
Drupal
Drupal
added 2015/08/19 12:0 a.m.33 views

Search API Autocomplete - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-140

This module enables you to add autocomplete suggestions for search forms created with the Search API module. The module doesn't sufficiently sanitize the HTML output for the returned suggestions, theoretically allowing an attacker to include custom HTML there. This vulnerability is mitigated by t...

2.1CVSS6.2AI score0.00744EPSS
Exploits0References10
Drupal
Drupal
added 2015/08/19 12:0 a.m.35 views

Ctools - Critical - Multiple Vulnerabilities - SA-CONTRIB-2015-141

Cross Site Scripting XSS Ctools in Drupal 6 provides a number of APIs and extensions for Drupal, and is a dependency for many of the most popular modules, including Views, Panels and Entityreference. Many features introduced in Drupal Core once lived in ctools. This vulnerability can be mitigated...

7.5CVSS7.3AI score0.02689EPSS
Exploits0References18
Drupal
Drupal
added 2015/08/19 12:0 a.m.26 views

Workbench Email - Moderately Critical - Access bypass - DRUPAL-SA-CONTRIB-2015-139

Workbench Email module provides a way for administrators to define email transitions and configurable email subject / messages between those transitions. The module causes node and field validations to be skipped when saving nodes. The vulnerability is mitigated by the fact that an attacker must...

3.5CVSS6.4AI score0.00914EPSS
Exploits0References10
Drupal
Drupal
added 2015/08/19 12:0 a.m.658 views

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-003

This security advisory fixes multiple vulnerabilities. See below for a list. Cross-site Scripting - Ajax system - Drupal 7 A vulnerability was found that allows a malicious user to perform a cross-site scripting attack by invoking Drupal.ajax on a whitelisted HTML element. This vulnerability is...

7.5CVSS7.7AI score0.0506EPSS
Exploits0References37
Drupal
Drupal
added 2015/08/05 12:0 a.m.29 views

Commerce Commonwealth (CBA) - Moderately Critical - Insufficient Verification of API Data - SA-CONTRIB-2015-136

This module enables you to pay for items on Drupal Commerce, using Commerce Commonwealth payment gateway. The module doesn't sufficiently validate the payment under certain specific scenarios. A malicious user can modify the urls used in gateway interaction with Commbank to make a failed payment...

5CVSS6.3AI score0.01054EPSS
Exploits0References10
Drupal
Drupal
added 2015/08/05 12:0 a.m.14 views

Quick Edit - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-137

This module enables you to in-place edit entities' fields. The module doesn't sufficiently filter entity titles under the scenario where the user starts in-place editing an entity. The module also doesn't sufficiently filter node titles under the scenario where a node is displayed albeit only on...

3.5CVSS6.3AI score0.00774EPSS
Exploits0References11
Drupal
Drupal
added 2015/08/05 12:0 a.m.17 views

Compass Rose - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-138

Compass Rose module provides a type of CCK field that allows to represent the most common orientations North, North-East, East, South-East, South, South-West, West and North-West. The module was embedding a JavaScript library from an external source that was not reliable, thereby exposing the sit...

6.1CVSS6.1AI score0.01271EPSS
Exploits0References10
Drupal
Drupal
added 2015/07/22 12:0 a.m.18 views

Time Tracker - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-135

This module enables you to track time on entities and comments. The module doesn't sufficiently filter notes added to time entries, leading to an XSS/JavaScript injection vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Add Time...

3.5CVSS6.7AI score0.01412EPSS
Exploits0References9
Total number of security vulnerabilities1940