Entityform Block - Moderately Critical - Access Bypass - SA-CONTRIB-2015-106

This module enables you to display an entityform as a block. The module doesn't sufficiently check permissions on the entityform under scenarios where the form is locked to a certain role. CVE identifiers issued CVE-2015-5493 Versions affected Entityform Block 7.x-1.x versions prior to 7.x-1.3...

Camtasia Relay - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100

This module enables you to integrate your Drupal site with TechSmith Relay software. The module doesn't sufficiently sanitize user input under the meta access tab. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view meta information". CVE...

Views - Critical - Access Bypass - SA-CONTRIB-2015-103

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Access bypass due cache inconsistency Due to an issue in the caching mechanism of Views it's possible that configured filters lose...

Smart Trim - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102

This module implements a new field formatter for textfields text, textlong, and textwithsummary, if you want to get technical that improves upon the "Summary or Trimmed" formatter built into Drupal 7. The module doesn't sufficiently filter user input via the field settings form. This vulnerabilit...

MailChimp - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101

The MailChimp module allows you to create and manage mailing lists via MailChimp's API. The MailChimp Signup submodule does not properly sanitize some user input, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability is...

Keyword Research - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-098

Keyword Research module enables you to tag and prioritize keywords on a site and node level basis. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user with "kwresearch admin site keywords" permission to create, delete and set priorities to...

HybridAuth Social Login - Less Critical - Information Disclosure - SA-CONTRIB-2015-097

HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module may store user passwords in plain text. This vulnerability is mitigated by the fact that the option "Ask user for...

Node Template - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-099

Node Template module enables you to define any node as a node template and it can be duplicated later. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "access node template" permission to delete node templates by getting their browser to make...

Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096

Services module enables you to expose an API to third party systems. Access bypass file upload and execution The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the "File Create" resource must be...

Display Suite - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-095

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094

CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause...

EntityBulkDelete - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-089

EntityBulkDelete module allows you to delete entities in bulk using the Batch API. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must be...

Imagefield Info - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-088

Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...

User Import - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-093

This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file comma separated file. Some management URLs were not properly protected. A malicious user could trick an administrator into continuing or deleting an ongoing import by getting them to...

Password Policy - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-090

The Password Policy module allows enforcing restrictions on user passwords by defining password policies. The module doesn't sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that only...

Current Search Links - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-091

Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search. The module doesn't sufficiently sanitize the entered search query, thereby...

Open Graph Importer - Moderately Critical - Access bypass - Unsupported - SA-CONTRIB-2015-092

This module enables you to import content from a web page by scraping its Open Graph data. The module doesn't sufficiently check for "create" permission to the content type that is configured as the destination for imported content, thus allowing a user with the "import ogtagimporter" permission ...

Petition - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-081

The Petition module enables you to create petitions which users may sign. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

Ubercart Webform Checkout Pane - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-087

Ubercart Webform Checkout Pane module allows you to define Webform nodes as checkout/order panes in Ubercart. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an...

Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085

Invoice module allows you to create invoices in Drupal. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create,...

Webform Multiple File Upload - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-083

Webform Multiple File Upload module enables you to upload multiple files at once in webforms. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with edit access to webforms to delete files by getting their browser to make a request to a...

Linear Case - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-084

Linear Case module allows you to organize Closed Question documents in case studies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...

Crumbs - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-082

This module enables you to add navigation to your webpages colloquially referred to as "breadcrumbs". The module doesn't sufficiently sanitize custom HTML separators for breadcrumbs, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacke...

Decisions - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-086

Decisions module is a replacement for the Poll module and provides advanced voting systems and decision-making tools. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to remove individual voters by getting their browser to make a request to ...

SA-CONTRIB-2015-080 - Profile2 Privacy - Cross Site Scripting (XSS)

Profile2 Privacy module enables you to show or hide parts of a profile2 entity based on pre-configured field sets with a title and description. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is...

SA-CONTRIB-2015-078 - Webform - Cross Site Scripting (XSS)

Webform is the module for making surveys, petitions, contests, personalized contact forms, and the like in Drupal. The module doesn't sufficiently sanitize component names when components are used to determine the e-mail addresses that may be sent upon webform submission. This vulnerability is...

SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Multiple vulnerabilities

This module provides a set of APIs and tools to improve the developer experience. Access bypass in autocomplete Drupal 7 only Among other many other things, CTools provides an autocomplete callback for finding entities by their titles or ID. In CTools version 1.5, additional checks were created t...

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001

Access bypass Password reset URLs - Drupal 6 and 7 Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password. In Drupal 7, this vulnerability is mitigated by the fact that it can only be...

SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting (XSS)

Image Title module allows you to upload an image and use it as a node title. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must allowed to create/edit...

SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting (XSS)

OG Tabs modules provides a secondary menu with links to nodes of the same OG group. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission t...

SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting (XSS)

Site Documentation module enables you to display detailed configuration information. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...

SA-CONTRIB-2015-075 - Perfecto - Open Redirect

The Perfecto module allows themers accurately calibrate the CSS by floating compositions over the page. The module doesn't sufficiently check user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it. CVE identifiers...

SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass

This module enables you to use Ogone Ingenico as a payment method for Drupal Commerce. Malicious users can trick Commerce Ogone into proceeding with the checkout process without actually going through the Ogone payment process, causing the order status to be set to checkout complete, even though ...

SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting (XSS)

Ubercart Discount Coupons module provides discount coupons for Ubercart stores. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is mitigated by the fact that an attacker must have a...

SA-CONTRIB-2015-065 - Registration codes - Multiple vulnerabilities

Registration codes module allows new account registrations only for users who provide a valid registration code. The module was not properly sanitizing user supplied text in some pages, thereby exposing XSS vulnerabilities. Additionally, some URLs were not protected against CSRF, a malicious user...

SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting (XSS)

This module enables you to add a block to allow visitors to subscribe to a site's newsletter. The module failed to sanitize some block content, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting (XSS) - Unsupported

Taxonomy Accordion module creates a block for each taxonomy vocabularies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user allowed to...

SA-CONTRIB-2015-070 - Mover - Cross Site Scripting (XSS) - Unsupported

The Mover modules provide the ability to move content between Drupal sites. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

SA-CONTRIB-2015-068 - Campaign Monitor - Cross Site Request Forgery (CSRF)

Campaign Monitor module integrates the Campaign Monitor API into Drupal. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user to enable and disable list subscriptions by getting their browser to make a request to a specially-crafted URL. CVE...

SA-CONTRIB-2015-066 - Tracking Code - Cross Site Request Forgery (CSRF)

Tracking Code module allows you to create tracking code snippets and control their visibility. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to disable tracking codes by getting their browser to make a request to a specially-crafted UR...

SA-CONTRIB-2015-067 - Finder - Open Redirect

Finder module allows you to create flexible faceted search forms to find entities such as nodes or users based on the values of fields and database attributes. The provided function finderformgoto is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the...

SA-CONTRIB-2015-073 - Trick Question - Cross Site Scripting (XSS)

The Trick Question is a CAPTCHA-type spam prevention module; a lightweight, compact and simple alternative to larger and more complex modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is...

SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)

Webform enables you to create surveys, personalized contact forms, contests, and the like. Cross Site Scripting Related to Webform Submissions The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch onl...

SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported

Spider Contacts module provides a user-friendly way to manage and display contacts. The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker mus...

SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported

Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site. The module doesn't validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing...

SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported

Watchdog Aggregator collects watchdog messages from external sites. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL. CVE...

SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported

inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service. The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-4347 Versions affected All...

SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting (XSS)

SMS Framework module enables you to send and receive SMS messages from and into Drupal. The module doesn't sufficiently sanitize user supplied text in message previews, thereby exposing a reflected Cross Site Scripting vulnerability. An attacker could exploit this vulnerability by getting the...

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported

The Custom Sitemap module enables you to add custom sitemaps to a site. The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL. CVE identifiers issue...

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported

Spider Catalog module enables you to build product catalogs. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL. CVE identifier...