Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2015/07/22 12:0 a.m.36 views

OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134

The Open Semantic Framework OSF for Drupal is a middleware layer that allows structured data RDF and associated vocabularies ontologies to "drive" tailored tools and data displays within Drupal. The module is vulnerable to reflected Cross Site Scripting XSS because it did not sufficiently filter...

5.1CVSS5.5AI score0.02003EPSS
Exploits0References9
Drupal
Drupal
added 2015/07/15 12:0 a.m.27 views

Path Breadcrumbs - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-133

This module enables you to configure breadcrumbs for any Drupal page. The module didn't sufficiently filter user input values the in administration interface. This vulnerability was mitigated by the fact that an attacker must have a role with the permission "Administer Path Breadcrumbs". CVE...

2.1CVSS6.3AI score0.00744EPSS
Exploits0References10
Drupal
Drupal
added 2015/07/08 12:0 a.m.14 views

Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132

Administration Views module replaces overview/listing pages with actual views for superior usability. The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to. CVE identifiers issued CVE-2015-7226...

5CVSS6AI score0.02087EPSS
Exploits0References11
Drupal
Drupal
added 2015/07/01 12:0 a.m.16 views

Views Bulk Operations - Moderately critical - Access Bypass - SA-CONTRIB-2015-131

The Views Bulk Operations module enables you to add bulk operations to administration views, executing actions on multiple selected rows. The module doesn't sufficiently guard user entities against unauthorized modification. If a user has access to a user account listing view with VBO enabled suc...

4.9CVSS6.3AI score0.01088EPSS
Exploits0References10
Drupal
Drupal
added 2015/07/01 12:0 a.m.19 views

Migrate - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-130

This module enables you to manage migration processes through the administrative UI. The module doesn't sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by the fact that an attacker must have a role with...

2.6CVSS6AI score0.01165EPSS
Exploits0References11
Drupal
Drupal
added 2015/06/24 12:0 a.m.27 views

Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129

Shibboleth authentication module allows users to log in and get permissions based on federated SAML2 authentication. The module didn't filter the text that is displayed as a login link. This vulnerability was mitigated by the fact that an attacker must have a role with the permission Administer...

2.1CVSS6.5AI score0.00996EPSS
Exploits0References10
Drupal
Drupal
added 2015/06/24 12:0 a.m.21 views

me aliases - Moderately Critical - Access Bypass - SA-CONTRIB-2015-128

'me aliases' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The view user argument handler for the 'me' module has an access bypass vulnerability where it does not check the supplied argument against the current user. This allows any use...

5CVSS6.3AI score0.02153EPSS
Exploits0References10
Drupal
Drupal
added 2015/06/24 12:0 a.m.24 views

HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127

The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module allows account creation through social login when the configuration is set to allow user registration by...

5CVSS6.1AI score0.02112EPSS
Exploits0References10
Drupal
Drupal
added 2015/06/17 12:0 a.m.25 views

Content Construction Kit (CCK) - Less Critical - Open Redirect - SA-CONTRIB-2015-126

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. CCK uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain...

5.8CVSS6.3AI score0.01204EPSS
Exploits0References12
Drupal
Drupal
added 2015/06/17 12:0 a.m.31 views

Apache Solr Real-Time - Critical - Access Bypass - SA-CONTRIB-2015-119

This module allows content-changes to be committed to Apache Solr in real-time. The module doesn't check the status of an entity being indexed which means that unpublished content will get indexed by Solr and the title and partial content may be exposed to any user who has permission to search si...

5CVSS6.1AI score0.01396EPSS
Exploits0References11
Drupal
Drupal
added 2015/06/17 12:0 a.m.650 views

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002

Impersonation OpenID module - Drupal 6 and 7 - Critical A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. This vulnerability is mitigated by the fact that the victim must have an...

5.8CVSS6.1AI score0.02763EPSS
Exploits0References26
Drupal
Drupal
added 2015/06/17 12:0 a.m.46 views

LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-124

The LABjs module integrates LABjs with Drupal for web performance optimization. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-002. Only sites with the Overlay module enabled are vulnerable. CVE...

5.8CVSS6AI score0.02763EPSS
Exploits0References13
Drupal
Drupal
added 2015/06/17 12:0 a.m.25 views

Acquia Cloud Site Factory Connector - Less Critical - Open Redirect - SA-CONTRIB-2015-125

Acquia Cloud Site Factory provides an environment and a robust set of tools that simplify management of many Drupal sites, allowing you to quickly deliver and manage any number of websites. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an ope...

5.8CVSS6AI score0.02763EPSS
Exploits0References13
Drupal
Drupal
added 2015/06/17 12:0 a.m.25 views

HTTP Strict Transport Security - Moderately Critical - Logical Error - SA-CONTRIB-2015-118

The contributed HSTS module makes it easy for site administrators to implement HTTP Strict Transport Security HSTS by setting the Strict-Transport-Security header on each page generated by Drupal. HSTS module provides a configuration UI for the HSTS "include subdomains" directive, which indicates...

6.8CVSS9.4AI score0.01622EPSS
Exploits0References9
Drupal
Drupal
added 2015/06/17 12:0 a.m.25 views

jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123

The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-002. Only sites with the Overlay module enabled are vulnerable. CVE identifiers issued...

5.8CVSS6AI score0.02763EPSS
Exploits0References13
Drupal
Drupal
added 2015/06/17 12:0 a.m.16 views

The eXtensible Catalog (XC) Drupal Toolkit - Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-121

The eXtensible Catalog Drupal Toolkit is a set of Drupal modules to harvest records of the XC Schema format from a Metadata Services Toolkit MST. The XC NCIP Provider module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "administer ncip providers"...

5.1CVSS6.3AI score0.00756EPSS
Exploits0References9
Drupal
Drupal
added 2015/06/17 12:0 a.m.24 views

Administration Views - Moderately Critical - Access Bypass - SA-CONTRIB-2015-122

This module replaces administrative overview/listing pages with Views for improved usability. When combined with other contributed or custom modules, the Administration Views module improperly grants users access to administration pages including the permissions page. This vulnerability is...

6CVSS6.3AI score0.00911EPSS
Exploits0References11
Drupal
Drupal
added 2015/06/17 12:0 a.m.29 views

Inline Entity Form - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-120

The Inline Entity Form module provides a field widget for inline management creation, modification, removal of referenced entities. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that ...

4.3CVSS6AI score0.01805EPSS
Exploits0References9
Drupal
Drupal
added 2015/06/03 12:0 a.m.14 views

Novalnet Payment Module Ubercart - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-116

This module enables you add the Novalnet payment service provider to Ubercart. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploi...

7.5CVSS7.3AI score0.0196EPSS
Exploits0References8
Drupal
Drupal
added 2015/06/03 12:0 a.m.25 views

Novalnet Payment Module Drupal Commerce - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-117

This module enables you add the Novalnet payment service provider to Drupal Commerce. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can...

7.5CVSS7.3AI score0.0196EPSS
Exploits0References8
Drupal
Drupal
added 2015/05/27 12:0 a.m.26 views

Chamilo integration - Less Critical - Open Redirect - SA-CONTRIB-2015-115

Chamilo integration module integrates Drupal with Chamilo LMS. The module has an Open Redirect vulnerability, it doesn't sufficiently check passed parameters in the URL. An attacker could trick users to visit malicious sites without realizing it. CVE identifiers issued CVE-2015-5503 Versions...

5.8CVSS6.1AI score0.01204EPSS
Exploits0References10
Drupal
Drupal
added 2015/05/27 12:0 a.m.20 views

Storage API - Moderately Critical - Access Bypass - SA-CONTRIB-2015-114

The Storage API module creates an underlying agnostic storage layer for Drupal using many different underlying storage methods. Storage API can be used to create fields for entities to hold data. The module failed to restrict access to the Storage API fields attached to entities that are not node...

7.5CVSS6.4AI score0.01476EPSS
Exploits0References10
Drupal
Drupal
added 2015/05/20 12:0 a.m.21 views

Web Links - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110

The Web Links module provides a comprehensive way to manage url links to other websites. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permissio...

3.5CVSS6AI score0.00965EPSS
Exploits0References13
Drupal
Drupal
added 2015/05/20 12:0 a.m.16 views

pass2pdf - Critical - Information Disclosure - Unsupported - SA-CONTRIB-2015-109

This module allows you to let users set a password upon registering, and have the password emailed to the user in a PDF file. The module has an Information Disclosure vulnerability. The generated PDF files are not protected. The user passwords are exposed to anonymous users. CVE identifiers issue...

5CVSS6.5AI score0.01381EPSS
Exploits0References9
Drupal
Drupal
added 2015/05/20 12:0 a.m.22 views

Shipwire - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111

The Shipwire API module handles communication with the Shipwire shipping service. The Shipwire module doesn't check view permission for the shipments overview page when installed admin/shipwire/shipments. Limited non-public information is displayed on the page. CVE identifiers issued CVE-2015-549...

5CVSS6.3AI score0.01396EPSS
Exploits0References10
Drupal
Drupal
added 2015/05/06 12:0 a.m.15 views

Entityform Block - Moderately Critical - Access Bypass - SA-CONTRIB-2015-106

This module enables you to display an entityform as a block. The module doesn't sufficiently check permissions on the entityform under scenarios where the form is locked to a certain role. CVE identifiers issued CVE-2015-5493 Versions affected Entityform Block 7.x-1.x versions prior to 7.x-1.3...

5CVSS6.4AI score0.01381EPSS
Exploits0References12
Drupal
Drupal
added 2015/05/06 12:0 a.m.17 views

Video Consultation - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-105

Video Consultation module integrates VideoWhisper Video Consultation software with Drupal. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-5492 Versions affected All versions of Video Consultation...

4.3CVSS6.1AI score0.0095EPSS
Exploits0References9
Drupal
Drupal
added 2015/05/06 12:0 a.m.16 views

Dynamic display block - Less Critical - Access bypass - SA-CONTRIB-2015-104

This module enables you to showcase featured content at a prominent place on the front page of the site in an attractive way. The module doesn't sufficiently protect access to content a user has no access to. In certain scenarios a user with the "administer ddblock" permission can see titles of...

3.5CVSS6.2AI score0.01012EPSS
Exploits0References11
Drupal
Drupal
added 2015/05/06 12:0 a.m.27 views

Mobile sliding menu - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-108

The mobile sliding menu module integrates the mmenu jQuery plugin for creating slick, app look-alike sliding menus for your mobile website. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...

2.1CVSS6AI score0.00949EPSS
Exploits0References11
Drupal
Drupal
added 2015/05/06 12:0 a.m.22 views

Webform Matrix Component - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-107

The Webform Matrix Component module is an extension of the Webform module that adds Matrix and Table components. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must ha...

3.5CVSS6AI score0.00954EPSS
Exploits0References11
Drupal
Drupal
added 2015/04/29 12:0 a.m.22 views

Camtasia Relay - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100

This module enables you to integrate your Drupal site with TechSmith Relay software. The module doesn't sufficiently sanitize user input under the meta access tab. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view meta information". CVE...

4.3CVSS6.2AI score0.01184EPSS
Exploits0References13
Drupal
Drupal
added 2015/04/29 12:0 a.m.20 views

Smart Trim - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102

This module implements a new field formatter for textfields text, textlong, and textwithsummary, if you want to get technical that improves upon the "Summary or Trimmed" formatter built into Drupal 7. The module doesn't sufficiently filter user input via the field settings form. This vulnerabilit...

3.5CVSS6.5AI score0.00954EPSS
Exploits0References12
Drupal
Drupal
added 2015/04/29 12:0 a.m.20 views

MailChimp - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101

The MailChimp module allows you to create and manage mailing lists via MailChimp's API. The MailChimp Signup submodule does not properly sanitize some user input, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability is...

2.1CVSS5.7AI score0.01405EPSS
Exploits0References13
Drupal
Drupal
added 2015/04/29 12:0 a.m.20 views

Views - Critical - Access Bypass - SA-CONTRIB-2015-103

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Access bypass due cache inconsistency Due to an issue in the caching mechanism of Views it's possible that configured filters lose...

5CVSS6.3AI score0.02607EPSS
Exploits1References11
Drupal
Drupal
added 2015/04/22 12:0 a.m.14 views

Keyword Research - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-098

Keyword Research module enables you to tag and prioritize keywords on a site and node level basis. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user with "kwresearch admin site keywords" permission to create, delete and set priorities to...

5.1CVSS6.2AI score0.00646EPSS
Exploits0References9
Drupal
Drupal
added 2015/04/22 12:0 a.m.18 views

Node Template - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-099

Node Template module enables you to define any node as a node template and it can be duplicated later. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "access node template" permission to delete node templates by getting their browser to make...

6.8CVSS6.3AI score0.00581EPSS
Exploits0References8
Drupal
Drupal
added 2015/04/22 12:0 a.m.22 views

HybridAuth Social Login - Less Critical - Information Disclosure - SA-CONTRIB-2015-097

HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module may store user passwords in plain text. This vulnerability is mitigated by the fact that the option "Ask user for...

3.5CVSS6.3AI score0.00981EPSS
Exploits0References11
Drupal
Drupal
added 2015/04/15 12:0 a.m.19 views

Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096

Services module enables you to expose an API to third party systems. Access bypass file upload and execution The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the "File Create" resource must be...

6CVSS6.1AI score0.01713EPSS
Exploits0References15
Drupal
Drupal
added 2015/04/15 12:0 a.m.27 views

Display Suite - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-095

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

3.5CVSS5.7AI score0.00965EPSS
Exploits0References11
Drupal
Drupal
added 2015/04/08 12:0 a.m.23 views

CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094

CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause...

6.8CVSS6.3AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/04/01 12:0 a.m.22 views

EntityBulkDelete - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-089

EntityBulkDelete module allows you to delete entities in bulk using the Batch API. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must be...

4.3CVSS6AI score0.01184EPSS
Exploits0References10
Drupal
Drupal
added 2015/04/01 12:0 a.m.19 views

Password Policy - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-090

The Password Policy module allows enforcing restrictions on user passwords by defining password policies. The module doesn't sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that only...

2.6CVSS6.2AI score0.01178EPSS
Exploits0References10
Drupal
Drupal
added 2015/04/01 12:0 a.m.24 views

User Import - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-093

This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file comma separated file. Some management URLs were not properly protected. A malicious user could trick an administrator into continuing or deleting an ongoing import by getting them to...

6.8CVSS6.6AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/04/01 12:0 a.m.22 views

Current Search Links - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-091

Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search. The module doesn't sufficiently sanitize the entered search query, thereby...

2.6CVSS5.7AI score0.01178EPSS
Exploits0References10
Drupal
Drupal
added 2015/04/01 12:0 a.m.16 views

Open Graph Importer - Moderately Critical - Access bypass - Unsupported - SA-CONTRIB-2015-092

This module enables you to import content from a web page by scraping its Open Graph data. The module doesn't sufficiently check for "create" permission to the content type that is configured as the destination for imported content, thus allowing a user with the "import ogtagimporter" permission ...

4CVSS6.4AI score0.01129EPSS
Exploits0References11
Drupal
Drupal
added 2015/04/01 12:0 a.m.18 views

Imagefield Info - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-088

Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...

2.1CVSS6AI score0.0096EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/25 12:0 a.m.12 views

Linear Case - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-084

Linear Case module allows you to organize Closed Question documents in case studies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/25 12:0 a.m.24 views

Webform Multiple File Upload - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-083

Webform Multiple File Upload module enables you to upload multiple files at once in webforms. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with edit access to webforms to delete files by getting their browser to make a request to a...

6.8CVSS6.4AI score0.0074EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/25 12:0 a.m.14 views

Decisions - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-086

Decisions module is a replacement for the Poll module and provides advanced voting systems and decision-making tools. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to remove individual voters by getting their browser to make a request to ...

6.8CVSS6.4AI score0.00649EPSS
Exploits0References8
Drupal
Drupal
added 2015/03/25 12:0 a.m.15 views

Petition - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-081

The Petition module enables you to create petitions which users may sign. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

2.1CVSS6AI score0.00949EPSS
Exploits0References9
Total number of security vulnerabilities1940