1940 matches found
Crumbs - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-082
This module enables you to add navigation to your webpages colloquially referred to as "breadcrumbs". The module doesn't sufficiently sanitize custom HTML separators for breadcrumbs, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacke...
Invoice - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2015-085
Invoice module allows you to create invoices in Drupal. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. Additionally, some URLs were not protected against CSRF. A malicious user can cause another user to create,...
Ubercart Webform Checkout Pane - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-087
Ubercart Webform Checkout Pane module allows you to define Webform nodes as checkout/order panes in Ubercart. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an...
SA-CONTRIB-2015-079 - Chaos tool suite (ctools) - Multiple vulnerabilities
This module provides a set of APIs and tools to improve the developer experience. Access bypass in autocomplete Drupal 7 only Among other many other things, CTools provides an autocomplete callback for finding entities by their titles or ID. In CTools version 1.5, additional checks were created t...
SA-CONTRIB-2015-078 - Webform - Cross Site Scripting (XSS)
Webform is the module for making surveys, petitions, contests, personalized contact forms, and the like in Drupal. The module doesn't sufficiently sanitize component names when components are used to determine the e-mail addresses that may be sent upon webform submission. This vulnerability is...
SA-CONTRIB-2015-080 - Profile2 Privacy - Cross Site Scripting (XSS)
Profile2 Privacy module enables you to show or hide parts of a profile2 entity based on pre-configured field sets with a title and description. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is...
Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2015-001
Access bypass Password reset URLs - Drupal 6 and 7 Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password. In Drupal 7, this vulnerability is mitigated by the fact that it can only be...
SA-CONTRIB-2015-077 - OG tabs - Cross Site Scripting (XSS)
OG Tabs modules provides a secondary menu with links to nodes of the same OG group. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission t...
SA-CONTRIB-2015-076 - Image Title - Cross Site Scripting (XSS)
Image Title module allows you to upload an image and use it as a node title. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must allowed to create/edit...
SA-CONTRIB-2015-075 - Perfecto - Open Redirect
The Perfecto module allows themers accurately calibrate the CSS by floating compositions over the page. The module doesn't sufficiently check user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing it. CVE identifiers...
SA-CONTRIB-2015-074 - Site Documentation - Cross Site Scripting (XSS)
Site Documentation module enables you to display detailed configuration information. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with...
SA-CONTRIB-2015-073 - Trick Question - Cross Site Scripting (XSS)
The Trick Question is a CAPTCHA-type spam prevention module; a lightweight, compact and simple alternative to larger and more complex modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is...
SA-CONTRIB-2015-067 - Finder - Open Redirect
Finder module allows you to create flexible faceted search forms to find entities such as nodes or users based on the values of fields and database attributes. The provided function finderformgoto is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the...
SA-CONTRIB-2015-066 - Tracking Code - Cross Site Request Forgery (CSRF)
Tracking Code module allows you to create tracking code snippets and control their visibility. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to disable tracking codes by getting their browser to make a request to a specially-crafted UR...
SA-CONTRIB-2015-068 - Campaign Monitor - Cross Site Request Forgery (CSRF)
Campaign Monitor module integrates the Campaign Monitor API into Drupal. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause another user to enable and disable list subscriptions by getting their browser to make a request to a specially-crafted URL. CVE...
SA-CONTRIB-2015-065 - Registration codes - Multiple vulnerabilities
Registration codes module allows new account registrations only for users who provide a valid registration code. The module was not properly sanitizing user supplied text in some pages, thereby exposing XSS vulnerabilities. Additionally, some URLs were not protected against CSRF, a malicious user...
SA-CONTRIB-2015-064 - Ubercart Discount Coupons - Cross Site Scripting (XSS)
Ubercart Discount Coupons module provides discount coupons for Ubercart stores. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. The vulnerability is mitigated by the fact that an attacker must have a...
SA-CONTRIB-2015-071 - Simple Subscription - Cross Site Scripting (XSS)
This module enables you to add a block to allow visitors to subscribe to a site's newsletter. The module failed to sanitize some block content, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...
SA-CONTRIB-2015-063 - Webform - Cross Site Scripting (XSS)
Webform enables you to create surveys, personalized contact forms, contests, and the like. Cross Site Scripting Related to Webform Submissions The module doesn't sufficiently escape user data presented to administrative users in the webform results table. This issue affects the 7.x-4.x branch onl...
SA-CONTRIB-2015-072 - Commerce Ogone - Access bypass
This module enables you to use Ogone Ingenico as a payment method for Drupal Commerce. Malicious users can trick Commerce Ogone into proceeding with the checkout process without actually going through the Ogone payment process, causing the order status to be set to checkout complete, even though ...
SA-CONTRIB-2015-069 - Taxonomy Accordion - Cross Site Scripting (XSS) - Unsupported
Taxonomy Accordion module creates a block for each taxonomy vocabularies. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user allowed to...
SA-CONTRIB-2015-070 - Mover - Cross Site Scripting (XSS) - Unsupported
The Mover modules provide the ability to move content between Drupal sites. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...
SA-CONTRIB-2015-060 - Custom Sitemap - Cross Site Request Forgery (CSRF) - Unsupported
The Custom Sitemap module enables you to add custom sitemaps to a site. The module doesn't sufficiently protect some URLs against CSRF. A malicious user could trick an administrator into deleting sitemaps by getting their browser to make a request to a specially-crafted URL. CVE identifiers issue...
SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported
Spider Catalog module enables you to build product catalogs. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL. CVE identifier...
SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported
Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that t...
SA-CONTRIB-2015-062 - Watchdog Aggregator - Cross Site Request Forgery (CSRF) - Unsupported
Watchdog Aggregator collects watchdog messages from external sites. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable monitoring sites by getting their browser to make a request to a specially-crafted URL. CVE...
SA-CONTRIB-2015-054 - SMS Framework - Cross Site Scripting (XSS)
SMS Framework module enables you to send and receive SMS messages from and into Drupal. The module doesn't sufficiently sanitize user supplied text in message previews, thereby exposing a reflected Cross Site Scripting vulnerability. An attacker could exploit this vulnerability by getting the...
SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS)
The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting XSS vulnerability. This...
SA-CONTRIB-2015-055 - Services single sign-on server helper - Open Redirect - Unsupported
Services single sign-on server helper module provides functionality to facilitate account information editing on a remote SSO site. The module doesn't validate some user supplied URLs in parameters used for page redirection. An attacker could trick users to visit malicious sites without realizing...
SA-CONTRIB-2015-056 - inLinks Integration - Cross Site Scripting (XSS) - Unsupported
inLinks Integration module enables you to use inLinks product from Text Link Ads third-party service. The module doesn't sufficiently sanitize user input in some path arguments, thereby exposing a Cross Site Scripting vulnerability. CVE identifiers issued CVE-2015-4347 Versions affected All...
SA-CONTRIB-2015-057 - Spider Contacts - Multiple vulnerabilities - Unsupported
Spider Contacts module provides a user-friendly way to manage and display contacts. The module doesn't use Drupal's Database API properly, not sanitizing user input on SQL queries and thereby exposing a SQL Injection vulnerability. This vulnerability is mitigated by the fact that the attacker mus...
SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS)
Ubercart Webform Integration module integrates Webform and Ubercart modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...
SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass
Services Basic Authentication module adds HTTP basic authentication for Services module. A user could get unauthorized access to resources under some circumstances. This vulnerability is mitigated by the fact that the authentication works correctly when page caching is disabled. CVE identifiers...
SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting (XSS)
Navigate is a customizable navigation bar for Drupal. The module doesn't sufficiently sanitize user input when displaying the Navigate bar. Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafte...
SA-CONTRIB-2015-047 - Panopoly Magic - Cross Site Scripting (XSS)
This module enables live previews of Panels panes in the modal dialog for adding or editing them. The module doesn't sufficiently filter the pane title when re-rendering the live preview. This vulnerability is mitigated by the fact that an attacker must have permission to add or edit Panels panes...
SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution
Avatar Uploader module provides an alternative way to upload user pictures. The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This...
SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass
This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The RESTWS Basic Auth submodule doesn't sufficiently disable page caching for authenticated requests thereby leaking potentially...
SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting (XSS)
Term Queue module allows you to create lists of taxonomy terms and display them in a block. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker...
SA-CONTRIB-2015-040 - Webform prepopulate block - Cross Site Scripting (XSS)
Webform prepopulate block module enables you to set a webform component to display in a separated block. The module doesn't sufficiently sanitize user supplied text when displaying the block, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that a...
SA-CONTRIB-2015-039 - Views - Multiple vulnerabilities
The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Open redirect vulnerability The module does not sanitize user provided URLs when processing the page to break the lock on Views bei...
SA-CONTRIB-2015-046 - Taxonomy Tools - Cross Site Scripting (XSS)
Taxonomy Tools module provides alternative ways of managing taxonomy terms. The module doesn't sufficiently escape node and taxonomy term titles when displaying them, allowing a malicious user to inject code. This vulnerability is mitigated by the fact that an attacker must have a role with...
SA-CONTRIB-2015-045 - Node Access Product - Cross Site Scripting (XSS) - Unsupported
The Node Access Product module provides 'Node access' settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by taxonomy, by node, or by Views. The module doesn't sufficiently sanitize node titles leading to the...
SA-CONTRIB-2015-043 - Commerce Balanced Payments - Multiple vulnerabilities
Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service. The module doesn't sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability. Also, some URLs were not protected...
SA-CONTRIB-2015-041 - Feature Set - Cross Site Request Forgery (CSRF)
Feature Set module enables you to enable or disable sets of features or modules. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable modules by getting the administrator's browser to make a request to a specially-crafte...
SA-CONTRIB-2015-042 - Node basket - Multiple vulnerabilities - Unsupported
Node basket module enables you to pick up nodes in a basket. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with permission to...
SA-CONTRIB-2015-044 - Taxonomy Path - Cross Site Scripting (XSS)
Taxonomy Path module enables you to create custom links to taxonomy terms within a display mode. The module doesn't sufficiently sanitize user provided text in the provided "Link to path" field formatter, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by th...
SA-CONTRIB-2015-038 - Facebook Album Fetcher - Cross Site Scripting (XSS) - Unsupported
Facebook Album Fetcher module allows you to fetch Facebook albums from a Facebook account. The module incorrectly prints fields without proper sanitization thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...
SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass
This module enables you to configure breadcrumbs for any Drupal page. The module doesn't check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user. This vulnerability is mitigated by the fact that it is possible to configure proper access...
SA-CONTRIB-2015-035 - Ajax Timeline - Cross Site Scripting (XSS)
Ajax Timeline module enables you to display a vertical timeline of nodes based off a date field or created date of the configured nodes. The module doesn't sufficiently escape node titles when displaying the timeline, allowing a malicious user to inject code. This vulnerability is mitigated by th...
SA-CONTRIB-2015-036 - Public Download Count - Cross Site Scripting (XSS) - Unsupported
Public Download Count module keeps track of file download counts. The module doesn't sufficiently sanitize user supplied text in the Download counts report page thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role wit...