1940 matches found
OSF for Drupal - Critical - Multiple vulnerabilities - SA-CONTRIB-2015-134
The Open Semantic Framework OSF for Drupal is a middleware layer that allows structured data RDF and associated vocabularies ontologies to "drive" tailored tools and data displays within Drupal. The module is vulnerable to reflected Cross Site Scripting XSS because it did not sufficiently filter...
Path Breadcrumbs - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-133
This module enables you to configure breadcrumbs for any Drupal page. The module didn't sufficiently filter user input values the in administration interface. This vulnerability was mitigated by the fact that an attacker must have a role with the permission "Administer Path Breadcrumbs". CVE...
Administration Views - Critical - Information Disclosure - SA-CONTRIB-2015-132
Administration Views module replaces overview/listing pages with actual views for superior usability. The module does not check access properly under certain circumstances. Anonymous users could get access to read information they should not have access to. CVE identifiers issued CVE-2015-7226...
Views Bulk Operations - Moderately critical - Access Bypass - SA-CONTRIB-2015-131
The Views Bulk Operations module enables you to add bulk operations to administration views, executing actions on multiple selected rows. The module doesn't sufficiently guard user entities against unauthorized modification. If a user has access to a user account listing view with VBO enabled suc...
Migrate - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-130
This module enables you to manage migration processes through the administrative UI. The module doesn't sufficiently sanitize destination field labels thereby exposing a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by the fact that an attacker must have a role with...
Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129
Shibboleth authentication module allows users to log in and get permissions based on federated SAML2 authentication. The module didn't filter the text that is displayed as a login link. This vulnerability was mitigated by the fact that an attacker must have a role with the permission Administer...
me aliases - Moderately Critical - Access Bypass - SA-CONTRIB-2015-128
'me aliases' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The view user argument handler for the 'me' module has an access bypass vulnerability where it does not check the supplied argument against the current user. This allows any use...
HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127
The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module allows account creation through social login when the configuration is set to allow user registration by...
Content Construction Kit (CCK) - Less Critical - Open Redirect - SA-CONTRIB-2015-126
The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. CCK uses a "destinations" query string parameter in URLs to redirect users to new destinations after completing an action on a few administration pages. Under certain...
Apache Solr Real-Time - Critical - Access Bypass - SA-CONTRIB-2015-119
This module allows content-changes to be committed to Apache Solr in real-time. The module doesn't check the status of an entity being indexed which means that unpublished content will get indexed by Solr and the title and partial content may be exposed to any user who has permission to search si...
Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2015-002
Impersonation OpenID module - Drupal 6 and 7 - Critical A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts. This vulnerability is mitigated by the fact that the victim must have an...
LABjs - Less Critical - Open Redirect - SA-CONTRIB-2015-124
The LABjs module integrates LABjs with Drupal for web performance optimization. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-002. Only sites with the Overlay module enabled are vulnerable. CVE...
Acquia Cloud Site Factory Connector - Less Critical - Open Redirect - SA-CONTRIB-2015-125
Acquia Cloud Site Factory provides an environment and a robust set of tools that simplify management of many Drupal sites, allowing you to quickly deliver and manage any number of websites. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an ope...
HTTP Strict Transport Security - Moderately Critical - Logical Error - SA-CONTRIB-2015-118
The contributed HSTS module makes it easy for site administrators to implement HTTP Strict Transport Security HSTS by setting the Strict-Transport-Security header on each page generated by Drupal. HSTS module provides a configuration UI for the HSTS "include subdomains" directive, which indicates...
jQuery Update - Less Critical - Open Redirect - SA-CONTRIB-2015-123
The jQuery Update module enables you to update jQuery on your site. The module ships with a modified version of the core Overlay JavaScript file, which is vulnerable to an open redirect attack see SA-CORE-2015-002. Only sites with the Overlay module enabled are vulnerable. CVE identifiers issued...
The eXtensible Catalog (XC) Drupal Toolkit - Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-121
The eXtensible Catalog Drupal Toolkit is a set of Drupal modules to harvest records of the XC Schema format from a Metadata Services Toolkit MST. The XC NCIP Provider module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "administer ncip providers"...
Administration Views - Moderately Critical - Access Bypass - SA-CONTRIB-2015-122
This module replaces administrative overview/listing pages with Views for improved usability. When combined with other contributed or custom modules, the Administration Views module improperly grants users access to administration pages including the permissions page. This vulnerability is...
Inline Entity Form - Less critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-120
The Inline Entity Form module provides a field widget for inline management creation, modification, removal of referenced entities. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that ...
Novalnet Payment Module Ubercart - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-116
This module enables you add the Novalnet payment service provider to Ubercart. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can exploi...
Novalnet Payment Module Drupal Commerce - Critical - SQL Injection - Unsupported - SA-CONTRIB-2015-117
This module enables you add the Novalnet payment service provider to Drupal Commerce. The module fails to sanitize a database query by not using the database API properly, thereby leading to a SQL Injection vulnerability. Since the affected path is not protected against CSRF, a malicious user can...
Chamilo integration - Less Critical - Open Redirect - SA-CONTRIB-2015-115
Chamilo integration module integrates Drupal with Chamilo LMS. The module has an Open Redirect vulnerability, it doesn't sufficiently check passed parameters in the URL. An attacker could trick users to visit malicious sites without realizing it. CVE identifiers issued CVE-2015-5503 Versions...
Storage API - Moderately Critical - Access Bypass - SA-CONTRIB-2015-114
The Storage API module creates an underlying agnostic storage layer for Drupal using many different underlying storage methods. Storage API can be used to create fields for entities to hold data. The module failed to restrict access to the Storage API fields attached to entities that are not node...
Web Links - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110
The Web Links module provides a comprehensive way to manage url links to other websites. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permissio...
pass2pdf - Critical - Information Disclosure - Unsupported - SA-CONTRIB-2015-109
This module allows you to let users set a password upon registering, and have the password emailed to the user in a PDF file. The module has an Information Disclosure vulnerability. The generated PDF files are not protected. The user passwords are exposed to anonymous users. CVE identifiers issue...
Shipwire - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111
The Shipwire API module handles communication with the Shipwire shipping service. The Shipwire module doesn't check view permission for the shipments overview page when installed admin/shipwire/shipments. Limited non-public information is displayed on the page. CVE identifiers issued CVE-2015-549...
Entityform Block - Moderately Critical - Access Bypass - SA-CONTRIB-2015-106
This module enables you to display an entityform as a block. The module doesn't sufficiently check permissions on the entityform under scenarios where the form is locked to a certain role. CVE identifiers issued CVE-2015-5493 Versions affected Entityform Block 7.x-1.x versions prior to 7.x-1.3...
Video Consultation - Moderately Critical - Cross Site Scripting (XSS) - Unsupported - SA-CONTRIB-2015-105
Video Consultation module integrates VideoWhisper Video Consultation software with Drupal. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-5492 Versions affected All versions of Video Consultation...
Dynamic display block - Less Critical - Access bypass - SA-CONTRIB-2015-104
This module enables you to showcase featured content at a prominent place on the front page of the site in an attractive way. The module doesn't sufficiently protect access to content a user has no access to. In certain scenarios a user with the "administer ddblock" permission can see titles of...
Mobile sliding menu - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-108
The mobile sliding menu module integrates the mmenu jQuery plugin for creating slick, app look-alike sliding menus for your mobile website. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...
Webform Matrix Component - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-107
The Webform Matrix Component module is an extension of the Webform module that adds Matrix and Table components. The module doesn't sufficiently sanitize user supplied text, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must ha...
Camtasia Relay - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100
This module enables you to integrate your Drupal site with TechSmith Relay software. The module doesn't sufficiently sanitize user input under the meta access tab. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view meta information". CVE...
Smart Trim - Less Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102
This module implements a new field formatter for textfields text, textlong, and textwithsummary, if you want to get technical that improves upon the "Summary or Trimmed" formatter built into Drupal 7. The module doesn't sufficiently filter user input via the field settings form. This vulnerabilit...
MailChimp - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101
The MailChimp module allows you to create and manage mailing lists via MailChimp's API. The MailChimp Signup submodule does not properly sanitize some user input, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability is...
Views - Critical - Access Bypass - SA-CONTRIB-2015-103
The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Access bypass due cache inconsistency Due to an issue in the caching mechanism of Views it's possible that configured filters lose...
Keyword Research - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-098
Keyword Research module enables you to tag and prioritize keywords on a site and node level basis. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user with "kwresearch admin site keywords" permission to create, delete and set priorities to...
Node Template - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-099
Node Template module enables you to define any node as a node template and it can be duplicated later. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with "access node template" permission to delete node templates by getting their browser to make...
HybridAuth Social Login - Less Critical - Information Disclosure - SA-CONTRIB-2015-097
HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter. The module may store user passwords in plain text. This vulnerability is mitigated by the fact that the option "Ask user for...
Services - Critical - Multiple Vulnerabilites - SA-CONTRIB-2015-096
Services module enables you to expose an API to third party systems. Access bypass file upload and execution The resource/endpoint for uploading files does not properly sanitize the filename of uploaded files. This vulnerability is mitigated by the fact that the "File Create" resource must be...
Display Suite - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-095
Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize some of the output, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...
CiviCRM private report - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-094
CiviCRM private report module enables users to create their own private copies of CiviCRM reports, which they can modify and save to meet their needs without requiring the "Administer reports" permission. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause...
EntityBulkDelete - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-089
EntityBulkDelete module allows you to delete entities in bulk using the Batch API. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must be...
Password Policy - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-090
The Password Policy module allows enforcing restrictions on user passwords by defining password policies. The module doesn't sufficiently sanitize usernames in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that only...
User Import - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-093
This module enables the import of users into Drupal, or the update of existing users, with data from a CSV file comma separated file. Some management URLs were not properly protected. A malicious user could trick an administrator into continuing or deleting an ongoing import by getting them to...
Current Search Links - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-091
Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search. The module doesn't sufficiently sanitize the entered search query, thereby...
Open Graph Importer - Moderately Critical - Access bypass - Unsupported - SA-CONTRIB-2015-092
This module enables you to import content from a web page by scraping its Open Graph data. The module doesn't sufficiently check for "create" permission to the content type that is configured as the destination for imported content, thus allowing a user with the "import ogtagimporter" permission ...
Imagefield Info - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-088
Imagefield Info module enables you to view image field paths so you can easily use them with a WYSIWYG editor. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fa...
Linear Case - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-084
Linear Case module allows you to organize Closed Question documents in case studies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...
Webform Multiple File Upload - Moderately Critical - Cross Site Request Forgery (CSRF) - SA-CONTRIB-2015-083
Webform Multiple File Upload module enables you to upload multiple files at once in webforms. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause a user with edit access to webforms to delete files by getting their browser to make a request to a...
Decisions - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-086
Decisions module is a replacement for the Poll module and provides advanced voting systems and decision-making tools. The module doesn't sufficiently protect some links against CSRF. A malicious user can cause another user to remove individual voters by getting their browser to make a request to ...
Petition - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-081
The Petition module enables you to create petitions which users may sign. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...