SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported

Spider Catalog module enables you to build product catalogs. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL. CVE identifier...

SA-CONTRIB-2015-059 - Spider Video Player - Multiple vulnerabilities - Unsupported

Spider Video Player module enables you to add HTML5 and Flash videos to your site. The module doesn't sufficiently check user input when deleting files. A malicious user could delete arbitrary files by making a request to a specially-crafted URL. This vulnerability is mitigated by the fact that t...

SA-CONTRIB-2015-061 - Ubercart Webform Integration - Cross Site Scripting (XSS)

Ubercart Webform Integration module integrates Webform and Ubercart modules. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have permission to...

SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass

Services Basic Authentication module adds HTTP basic authentication for Services module. A user could get unauthorized access to resources under some circumstances. This vulnerability is mitigated by the fact that the authentication works correctly when page caching is disabled. CVE identifiers...

SA-CONTRIB-2015-047 - Panopoly Magic - Cross Site Scripting (XSS)

This module enables live previews of Panels panes in the modal dialog for adding or editing them. The module doesn't sufficiently filter the pane title when re-rendering the live preview. This vulnerability is mitigated by the fact that an attacker must have permission to add or edit Panels panes...

SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting (XSS)

Navigate is a customizable navigation bar for Drupal. The module doesn't sufficiently sanitize user input when displaying the Navigate bar. Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafte...

SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution

Avatar Uploader module provides an alternative way to upload user pictures. The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server. This...

SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting (XSS)

Term Queue module allows you to create lists of taxonomy terms and display them in a block. The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker...

SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The RESTWS Basic Auth submodule doesn't sufficiently disable page caching for authenticated requests thereby leaking potentially...

SA-CONTRIB-2015-042 - Node basket - Multiple vulnerabilities - Unsupported

Node basket module enables you to pick up nodes in a basket. The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with permission to...

SA-CONTRIB-2015-043 - Commerce Balanced Payments - Multiple vulnerabilities

Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service. The module doesn't sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability. Also, some URLs were not protected...

SA-CONTRIB-2015-041 - Feature Set - Cross Site Request Forgery (CSRF)

Feature Set module enables you to enable or disable sets of features or modules. The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable modules by getting the administrator's browser to make a request to a specially-crafte...

SA-CONTRIB-2015-040 - Webform prepopulate block - Cross Site Scripting (XSS)

Webform prepopulate block module enables you to set a webform component to display in a separated block. The module doesn't sufficiently sanitize user supplied text when displaying the block, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that a...

SA-CONTRIB-2015-046 - Taxonomy Tools - Cross Site Scripting (XSS)

Taxonomy Tools module provides alternative ways of managing taxonomy terms. The module doesn't sufficiently escape node and taxonomy term titles when displaying them, allowing a malicious user to inject code. This vulnerability is mitigated by the fact that an attacker must have a role with...

SA-CONTRIB-2015-039 - Views - Multiple vulnerabilities

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. Open redirect vulnerability The module does not sanitize user provided URLs when processing the page to break the lock on Views bei...

SA-CONTRIB-2015-045 - Node Access Product - Cross Site Scripting (XSS) - Unsupported

The Node Access Product module provides 'Node access' settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by taxonomy, by node, or by Views. The module doesn't sufficiently sanitize node titles leading to the...

SA-CONTRIB-2015-044 - Taxonomy Path - Cross Site Scripting (XSS)

Taxonomy Path module enables you to create custom links to taxonomy terms within a display mode. The module doesn't sufficiently sanitize user provided text in the provided "Link to path" field formatter, thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by th...

SA-CONTRIB-2015-034 - Commerce WeDeal - Open Redirect

Commerce WeDeal module enables you to do Commerce payments through the payment provider WeDeal. The module doesn't sufficiently check a query parameter used for page redirection, thereby leading to an Open Redirect vulnerability. CVE identifiers issued CVE-2015-3393 Versions affected Commerce...

SA-CONTRIB-2015-035 - Ajax Timeline - Cross Site Scripting (XSS)

Ajax Timeline module enables you to display a vertical timeline of nodes based off a date field or created date of the configured nodes. The module doesn't sufficiently escape node titles when displaying the timeline, allowing a malicious user to inject code. This vulnerability is mitigated by th...

SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass

This module enables you to configure breadcrumbs for any Drupal page. The module doesn't check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user. This vulnerability is mitigated by the fact that it is possible to configure proper access...

SA-CONTRIB-2015-038 - Facebook Album Fetcher - Cross Site Scripting (XSS) - Unsupported

Facebook Album Fetcher module allows you to fetch Facebook albums from a Facebook account. The module incorrectly prints fields without proper sanitization thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

SA-CONTRIB-2015-036 - Public Download Count - Cross Site Scripting (XSS) - Unsupported

Public Download Count module keeps track of file download counts. The module doesn't sufficiently sanitize user supplied text in the Download counts report page thereby exposing a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role wit...

SA-CONTRIB-2015-033 - Certify - Access bypass and information disclosure

Certify enables you to automatically issue PDF certificates to users upon completion of a set of conditions. The module does not sufficiently check node access when showing and creating the PDF certificates. This can lead to users seeing certificates they should not have access to. This...

SA-CONTRIB-2015-032 - Node Invite - Multiple vulnerabilities

Node Invite module enables you to invite people to RSVP on node types that have been configured to represent events. The module doesn't sufficiently sanitize the titles of nodes in some listings, allowing a malicious user to inject code, thereby leading to a Cross Site Scripting XSS vulnerability...

SA-CONTRIB-2015-030 - Amazon AWS - Access bypass

Amazon AWS module provides integration with Amazon Web Services AWS. A malicious user could potentially guess an access token and trigger the creation of new backups by making a request to a specially-crafted URL. If the number of stored backups was limited, an attacker could exceed the limit by...

SA-CONTRIB-2015-031 - GD Infinite Scroll - Multiple vulnerabilites

GD Infinite Scroll module enables you to use the "infinite scroll jQuery plugin : auto-pager" on custom pages. Some links were not protected against CSRF. A malicious user could cause another user with the "edit gd infinite scroll settings" permission to delete settings by getting his browser to...

SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)

Shibboleth Authentication module allows users to log in and get permissions based on federated SAML2 authentication. The roles that are assigned to users are based on a matching list. A malicious attacker can delete matching rules from the list by getting the administrator's browser to make a...

SA-CONTRIB-2015-024 - Alfresco - Cross Site Request Forgery (CSRF)

The Alfresco module provides integration between Drupal and Alfresco via Content Management Web Services SOAP and Repository RESTful API. The Alfresco Browser submodule provides an AJAX-based repository browser that allows users to visualize, upload, search and retrieve nodes from the Alfresco...

SA-CONTRIB-2015-023 - Classified Ads - Cross Site Scripting (XSS)

Classified Ads module enables administrators to create classified ads in various categories. The module doesn't correctly escape the category names in its administration user interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

SA-CONTRIB-2015-026 - Taxonews - Cross Site Scripting (XSS)

This module enables you to create blocks of nodes carrying a given taxonomy term. The module doesn't sufficiently escape term names in the blocks it builds leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

SA-CONTRIB-2015-029 - Corner - Cross Site Request Forgery (CSRF) - Unsupported

This module enables you to add configurable corners to your site. A malicious user can cause an administrator to enable and disable corners by getting the administrator's browser to make a request to a specially-crafted URL while the administrator is logged in. CVE identifiers issued CVE-2015-337...

SA-CONTRIB-2015-027 - Quizzler - Cross Site Scripting (XSS)

The Quizzler module allows you to create online quizzes and tests. Quizzes are nodes with questions attached. The module does not sanitize user input in the node title when displaying it on the page, allowing a malicious user to inject code, a Cross Site Scripting XSS attack. This vulnerability i...

SA-CONTRIB-2015-025 - Patterns - Cross Site Request Forgery (CSRF)

Patterns module manages and automates site configuration. Site configurations stored in XML or YAML are called Patterns, and these are easy to read, modify, manage & share and can be executed manually or as a part of an automated web site deployment. Some links were not protected against CSRF. A...

SA-CONTRIB-2015-018 - Video - Cross Site Scripting (XSS)

This module enables you to upload, convert and playback videos. The module doesn't sufficiently sanitize node titles when using the video WYSIWYG plugin, thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with th...

SA-CONTRIB-2015-020 - Contact Form Fields - Cross Site Request Forgery (CSRF)

The Contact Form Fields module enables you to create additional fields to site-wide contact form. Some links were not properly protected from CSRF. A malicious user could cause an administrator to delete fields by getting the administrator's browser to make a request to a specially-crafted URL...

SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)

Room Reservations module enables you to manage a room reservation system. The module doesn't sufficiently sanitize the node title of "Room Reservations Category" nodes and the body of "Room Reservations Room" nodes, thereby leading to a Cross Site Scripting XSS vulnerability. This vulnerability i...

SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect

This module enables users to change the currency of Ubercart products. When switching the currency, the user is redirected to a page specified in the destination query parameter. The module was not checking that the passed argument was an internal URL, thereby leading to an open redirect...

SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS)

This module enables you to merge synonymous taxonomy terms among themselves. The module doesn't sufficiently filter user input under certain conditions, thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to create...

SA-CONTRIB-2015-016 - Tadaa! - Multiple vulnerabilities

Tadaa! is a module aimed at simplifying the process of enabling/disabling modules and altering configuration when switching between different environments, e.g. Production/Staging/Development. The module exposes multiple paths that were not protected against Cross Site Request Forgeries CSRF. A...

SA-CONTRIB-2015-022 - nodeauthor - Cross Site Scripting (XSS) - Unsupported

This module displays node author information in a jQuery slider. The module doesn't sufficiently sanitize Profile2 fields in a provided block. This vulnerability is mitigated by the fact that an attacker must have a user account allowed to edit profile fields. CVE identifiers issued CVE-2015-3365...

SA-CONTRIB-2015-014 - Wishlist - Multiple vulnerabilities

The Wishlist module enables authorized users to create wishlist nodes which describe items they would like for a special occasion. Also, it allows users to indicate their intention to purchase items for other users. The module fails to sanitize user input in log messages, leading to a Cross Site...

SA-CONTRIB-2015-021 - Content Analysis - Cross Site Scripting (XSS)

The Content Analysis module is an API designed to help modules that need to analyze content. The module fails to sanitize user input in log messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that only sites with dblog module enabled are...

SA-CONTRIB-2015-012 - Jammer - Cross Site Request Forgery (CSRF)

This module enables you to hide or remove items from displaying including the node and comment preview buttons, node delete button, revision log textarea, workflow form on the workflow tab, and feed icon. The report administration links are not properly protected from CSRF. A malicious user could...

SA-CONTRIB-2015-007 - Htaccess - Cross Site Request Forgery (CSRF)

The Htaccess module allows the creation and deployment of .htaccess files based on custom settings. Some administration links were not properly protected from Cross Site Request Forgery CSRF. A malicious user could cause an administrator to deploy or delete .htaccess files by getting the...

SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - Multiple vulnerabilities

This module provides integration with the Cloudwords third-party service. The module was not sanitizing node titles on certain conditions, thereby leading to a Cross Site Scripting XSS vulnerability. Also, a menu callback was not protected against CSRF. The XSS vulnerability is mitigated by the...

SA-CONTRIB-2015-003 - PHPlist Integration Module - SQL Injection

The PHPlist Integration module provides an integration between a Drupal website and phpList newsletter manager. The module provides two main features: user sync and sending a node as a newsletter. The module introduces a SQL Injection vulnerability to the phpList database. The Drupal database is...

SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS)

Linkit provides an easy interface for internal and external linking with wysiwyg editors and fields by using an autocomplete field. The module doesn't sufficiently sanitize node titles in the result list if the node search plugin is enabled. This vulnerability is mitigated by the fact that an...

SA-CONTRIB-2015-008 - Batch Jobs - Cross Site Request Forgery (CSRF)

The Batch Jobs project is a scalable way to execute a list of tasks. Links that take actions on batch jobs are not protected from Cross Site Request Forgery CSRF. A malicious individual could cause a user that has permission to access a particular batch job or an administrator to delete the recor...

SA-CONTRIB-2015-001 - OPAC - Cross Site Request Forgery (CSRF)

OPAC module enables you to create mappings between node fields and ILS record fields. The module doesn't ask for confirmation when removing a mapping, leaving this operation vulnerable to cross-site request forgery CSRF attacks. CVE identifiers issued CVE-2015-3343 Versions affected OPAC 7.x-2.x...

SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF)

Log Watcher allows you to monitor your site logs in a systematic way by setting up scheduled aggregations for specific log types. The report administration links are not properly protected from CSRF. A malicious user could cause a log administrator to enable, disable, or delete a Log Watcher repo...