Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2015/03/25 12:0 a.m.15 views

Crumbs - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-082

This module enables you to add navigation to your webpages colloquially referred to as "breadcrumbs". The module doesn't sufficiently sanitize custom HTML separators for breadcrumbs, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacke...

2.1CVSS5.9AI score0.00949EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/25 12:0 a.m.23 views

Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085

Invoice module allows you to create invoices in Drupal. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create,...

6.8CVSS5.3AI score0.00966EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/25 12:0 a.m.25 views

Ubercart Webform Checkout Pane - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-087

Ubercart Webform Checkout Pane module allows you to define Webform nodes as checkout/order panes in Ubercart. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an...

3.5CVSS6AI score0.01122EPSS
Exploits0References12
Drupal
Drupal
added 2015/03/18 12:0 a.m.29 views

SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Multiple vulnerabilities

This module provides a set of APIs and tools to improve the developer experience. Access bypass in autocomplete Drupal 7 only Among other many other things, CTools provides an autocomplete callback for finding entities by their titles or ID. In CTools version 1.5, additional checks were created t...

5.8CVSS6.2AI score0.01331EPSS
Exploits0References11
Drupal
Drupal
added 2015/03/18 12:0 a.m.20 views

SA-CONTRIB-2015-078 - Webform - Cross Site Scripting (XSS)

Webform is the module for making surveys, petitions, contests, personalized contact forms, and the like in Drupal. The module doesn't sufficiently sanitize component names when components are used to determine the e-mail addresses that may be sent upon webform submission. This vulnerability is...

3.5CVSS6.3AI score0.01091EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/18 12:0 a.m.16 views

SA-CONTRIB-2015-080 - Profile2 Privacy - Cross Site Scripting (XSS)

Profile2 Privacy module enables you to show or hide parts of a profile2 entity based on pre-configured field sets with a title and description. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is...

3.5CVSS6.1AI score0.00965EPSS
Exploits0References11
Drupal
Drupal
added 2015/03/18 12:0 a.m.645 views

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001

Access bypass Password reset URLs - Drupal 6 and 7 Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password. In Drupal 7, this vulnerability is mitigated by the fact that it can only be...

6.1CVSS6.8AI score0.01635EPSS
Exploits0References22
Drupal
Drupal
added 2015/03/11 12:0 a.m.21 views

SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting (XSS)

OG Tabs modules provides a secondary menu with links to nodes of the same OG group. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission t...

3.5CVSS6AI score0.00965EPSS
Exploits0References12
Drupal
Drupal
added 2015/03/11 12:0 a.m.19 views

SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting (XSS)

Image Title module allows you to upload an image and use it as a node title. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must allowed to create/edit...

3.5CVSS6.1AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/11 12:0 a.m.15 views

SA-CONTRIB-2015-075 - Perfecto - Open Redirect

The Perfecto module allows themers accurately calibrate the CSS by floating compositions over the page. The module doesn't sufficiently check user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it. CVE identifiers...

5.8CVSS6.3AI score0.01204EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/11 12:0 a.m.24 views

SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting (XSS)

Site Documentation module enables you to display detailed configuration information. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...

3.5CVSS6AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/04 12:0 a.m.12 views

SA-CONTRIB-2015-073 - Trick Question - Cross Site Scripting (XSS)

The Trick Question is a CAPTCHA-type spam prevention module; a lightweight, compact and simple alternative to larger and more complex modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is...

3.5CVSS6AI score0.00965EPSS
Exploits0References11
Drupal
Drupal
added 2015/03/04 12:0 a.m.23 views

SA-CONTRIB-2015-067 - Finder - Open Redirect

Finder module allows you to create flexible faceted search forms to find entities such as nodes or users based on the values of fields and database attributes. The provided function finderformgoto is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the...

5.8CVSS6.3AI score0.01191EPSS
Exploits0References12
Drupal
Drupal
added 2015/03/04 12:0 a.m.26 views

SA-CONTRIB-2015-066 - Tracking Code - Cross Site Request Forgery (CSRF)

Tracking Code module allows you to create tracking code snippets and control their visibility. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to disable tracking codes by getting their browser to make a request to a specially-crafted UR...

6.8CVSS6.7AI score0.01055EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/04 12:0 a.m.21 views

SA-CONTRIB-2015-068 - Campaign Monitor - Cross Site Request Forgery (CSRF)

Campaign Monitor module integrates the Campaign Monitor API into Drupal. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user to enable and disable list subscriptions by getting their browser to make a request to a specially-crafted URL. CVE...

6.8CVSS6.3AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2015/03/04 12:0 a.m.15 views

SA-CONTRIB-2015-065 - Registration codes - Multiple vulnerabilities

Registration codes module allows new account registrations only for users who provide a valid registration code. The module was not properly sanitizing user supplied text in some pages, thereby exposing XSS vulnerabilities. Additionally, some URLs were not protected against CSRF, a malicious user...

6.8CVSS5.7AI score0.01067EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/04 12:0 a.m.19 views

SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting (XSS)

Ubercart Discount Coupons module provides discount coupons for Ubercart stores. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is mitigated by the fact that an attacker must have a...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/03/04 12:0 a.m.24 views

SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting (XSS)

This module enables you to add a block to allow visitors to subscribe to a site's newsletter. The module failed to sanitize some block content, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

3.5CVSS5.6AI score0.00965EPSS
Exploits0References11
Drupal
Drupal
added 2015/03/04 12:0 a.m.23 views

SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)

Webform enables you to create surveys, personalized contact forms, contests, and the like. Cross Site Scripting Related to Webform Submissions The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch onl...

3.5CVSS5.8AI score0.01091EPSS
Exploits0References12
Drupal
Drupal
added 2015/03/04 12:0 a.m.17 views

SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass

This module enables you to use Ogone Ingenico as a payment method for Drupal Commerce. Malicious users can trick Commerce Ogone into proceeding with the checkout process without actually going through the Ogone payment process, causing the order status to be set to checkout complete, even though ...

5CVSS6.4AI score0.01358EPSS
Exploits0References12
Drupal
Drupal
added 2015/03/04 12:0 a.m.19 views

SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting (XSS) - Unsupported

Taxonomy Accordion module creates a block for each taxonomy vocabularies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user allowed to...

3.5CVSS6AI score0.00954EPSS
Exploits0References8
Drupal
Drupal
added 2015/03/04 12:0 a.m.18 views

SA-CONTRIB-2015-070 - Mover - Cross Site Scripting (XSS) - Unsupported

The Mover modules provide the ability to move content between Drupal sites. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

3.5CVSS5.9AI score0.00954EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.19 views

SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported

The Custom Sitemap module enables you to add custom sitemaps to a site. The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL. CVE identifiers issue...

5.8CVSS6.3AI score0.00649EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.16 views

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported

Spider Catalog module enables you to build product catalogs. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL. CVE identifier...

6.8CVSS6.4AI score0.00649EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.18 views

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported

Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that t...

5.8CVSS6.3AI score0.01076EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.15 views

SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported

Watchdog Aggregator collects watchdog messages from external sites. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL. CVE...

7AI score
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.15 views

SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting (XSS)

SMS Framework module enables you to send and receive SMS messages from and into Drupal. The module doesn't sufficiently sanitize user supplied text in message previews, thereby exposing a reflected Cross Site Scripting vulnerability. An attacker could exploit this vulnerability by getting the...

2.6CVSS6AI score0.01178EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/25 12:0 a.m.22 views

SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS)

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting XSS vulnerability. This...

3.5CVSS5.7AI score0.01402EPSS
Exploits0References11
Drupal
Drupal
added 2015/02/25 12:0 a.m.22 views

SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported

Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site. The module doesn't validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing...

5.8CVSS6.2AI score0.01516EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.17 views

SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported

inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service. The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-4347 Versions affected All...

4.3CVSS6AI score0.01171EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.24 views

SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported

Spider Contacts module provides a user-friendly way to manage and display contacts. The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker mus...

6CVSS6.1AI score0.00986EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/25 12:0 a.m.13 views

SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS)

Ubercart Webform Integration module integrates Webform and Ubercart modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

6.6AI score
Exploits0References10
Drupal
Drupal
added 2015/02/18 12:0 a.m.22 views

SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass

Services Basic Authentication module adds HTTP basic authentication for Services module. A user could get unauthorized access to resources under some circumstances. This vulnerability is mitigated by the fact that the authentication works correctly when page caching is disabled. CVE identifiers...

5CVSS6.7AI score0.01439EPSS
Exploits0References15
Drupal
Drupal
added 2015/02/18 12:0 a.m.17 views

SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting (XSS)

Navigate is a customizable navigation bar for Drupal. The module doesn't sufficiently sanitize user input when displaying the Navigate bar. Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafte...

4.3CVSS6.3AI score0.01521EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/18 12:0 a.m.25 views

SA-CONTRIB-2015-047 - Panopoly Magic - Cross Site Scripting (XSS)

This module enables live previews of Panels panes in the modal dialog for adding or editing them. The module doesn't sufficiently filter the pane title when re-rendering the live preview. This vulnerability is mitigated by the fact that an attacker must have permission to add or edit Panels panes...

3.5CVSS6.3AI score0.00936EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/18 12:0 a.m.25 views

SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution

Avatar Uploader module provides an alternative way to upload user pictures. The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This...

6.5CVSS7AI score0.01844EPSS
Exploits0References11
Drupal
Drupal
added 2015/02/18 12:0 a.m.15 views

SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The RESTWS Basic Auth submodule doesn't sufficiently disable page caching for authenticated requests thereby leaking potentially...

5CVSS6.2AI score0.01398EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/18 12:0 a.m.20 views

SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting (XSS)

Term Queue module allows you to create lists of taxonomy terms and display them in a block. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker...

4.3CVSS6AI score0.01773EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/11 12:0 a.m.27 views

SA-CONTRIB-2015-040 - Webform prepopulate block - Cross Site Scripting (XSS)

Webform prepopulate block module enables you to set a webform component to display in a separated block. The module doesn't sufficiently sanitize user supplied text when displaying the block, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that a...

3.5CVSS6AI score0.00936EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/11 12:0 a.m.25 views

SA-CONTRIB-2015-039 - Views - Multiple vulnerabilities

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Open redirect vulnerability The module does not sanitize user provided URLs when processing the page to break the lock on Views bei...

4.9CVSS6AI score0.0158EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/11 12:0 a.m.17 views

SA-CONTRIB-2015-046 - Taxonomy Tools - Cross Site Scripting (XSS)

Taxonomy Tools module provides alternative ways of managing taxonomy terms. The module doesn't sufficiently escape node and taxonomy term titles when displaying them, allowing a malicious user to inject code. This vulnerability is mitigated by the fact that an attacker must have a role with...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References12
Drupal
Drupal
added 2015/02/11 12:0 a.m.15 views

SA-CONTRIB-2015-045 - Node Access Product - Cross Site Scripting (XSS) - Unsupported

The Node Access Product module provides 'Node access' settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by taxonomy, by node, or by Views. The module doesn't sufficiently sanitize node titles leading to the...

3.5CVSS5.8AI score0.00954EPSS
Exploits0References10
Drupal
Drupal
added 2015/02/11 12:0 a.m.23 views

SA-CONTRIB-2015-043 - Commerce Balanced Payments - Multiple vulnerabilities

Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service. The module doesn't sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability. Also, some URLs were not protected...

5.8CVSS5.9AI score0.00954EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/11 12:0 a.m.21 views

SA-CONTRIB-2015-041 - Feature Set - Cross Site Request Forgery (CSRF)

Feature Set module enables you to enable or disable sets of features or modules. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable modules by getting the administrator's browser to make a request to a specially-crafte...

5.8CVSS6.3AI score0.00649EPSS
Exploits0References10
Drupal
Drupal
added 2015/02/11 12:0 a.m.34 views

SA-CONTRIB-2015-042 - Node basket - Multiple vulnerabilities - Unsupported

Node basket module enables you to pick up nodes in a basket. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with permission to...

5.8CVSS5.5AI score0.01191EPSS
Exploits0References8
Drupal
Drupal
added 2015/02/11 12:0 a.m.20 views

SA-CONTRIB-2015-044 - Taxonomy Path - Cross Site Scripting (XSS)

Taxonomy Path module enables you to create custom links to taxonomy terms within a display mode. The module doesn't sufficiently sanitize user provided text in the provided "Link to path" field formatter, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by th...

3.5CVSS5.9AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/04 12:0 a.m.21 views

SA-CONTRIB-2015-038 - Facebook Album Fetcher - Cross Site Scripting (XSS) - Unsupported

Facebook Album Fetcher module allows you to fetch Facebook albums from a Facebook account. The module incorrectly prints fields without proper sanitization thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/04 12:0 a.m.25 views

SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass

This module enables you to configure breadcrumbs for any Drupal page. The module doesn't check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user. This vulnerability is mitigated by the fact that it is possible to configure proper access...

5CVSS6.3AI score0.01423EPSS
Exploits0References11
Drupal
Drupal
added 2015/02/04 12:0 a.m.22 views

SA-CONTRIB-2015-035 - Ajax Timeline - Cross Site Scripting (XSS)

Ajax Timeline module enables you to display a vertical timeline of nodes based off a date field or created date of the configured nodes. The module doesn't sufficiently escape node titles when displaying the timeline, allowing a malicious user to inject code. This vulnerability is mitigated by th...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/02/04 12:0 a.m.19 views

SA-CONTRIB-2015-036 - Public Download Count - Cross Site Scripting (XSS) - Unsupported

Public Download Count module keeps track of file download counts. The module doesn't sufficiently sanitize user supplied text in the Download counts report page thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role wit...

3.5CVSS6AI score0.00965EPSS
Exploits0References9
Total number of security vulnerabilities1940