SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF)

Todo Filter module provides an input filter to display check-boxes that can be used as a task list. Some paths were not protected against CSRF, meaning that an attacker could cause users to toggle tasks they did not intend to toggle by getting the user's browser to make a request to a...

SA-CONTRIB-2015-005 - WikiWiki - SQL injection

WikiWiki module gives you one place to create, share and find wiki pages in your site. The module did not sanitize user input inside a database query thereby leading to a SQL Injection vulnerability. CVE identifiers issued CVE-2015-3346 Versions affected WikiWiki 6.x-1.x versions prior to 6.x-1.2...

SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)

Course module enables you to create e-learning courses with any number of requirements for completion. The module doesn't sufficiently filter node title displays when being used in a course. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to creat...

SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS)

This module enables you to use a different label for displaying fields from the label used when viewing the field in a form. The module doesn't sufficiently sanitize the alternate field label in content types settings. This vulnerability is mitigated by the fact that an attacker must have a role...

SA-CONTRIB-2015-004 - Context - Open Redirect

Context allows you to manage contextual conditions and reactions for different portions of your site. Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby...

SA-CONTRIB-2014-128 - Organic Groups Menu - Access bypass

This module enables you to associate menus with Organic Groups OG. It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc. The module doesn't sufficiently check the menu parameters passed...

SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS)

School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system. The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...

SA-CONTRIB-2014-126 - Open Atrium - Multiple vulnerabilities

This distribution enables you to create an intranet. Several of the sub modules included do not prevent CSRF on several menu callbacks. Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with "access content" to update and delete...

SA-CONTRIB-2014-125 - Organic Groups Menu - Access bypass

This module enables you to associate menus with Organic Groups OG. It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc. The module doesn't sufficiently check the menu parameters passed...

SA-CONTRIB-2014-123 - Postal Code - Cross Site Scripting (XSS)

The Postal Code module enables you to implement postal code validation for several countries. The module doesn't sufficiently sanitize certain data in the admin thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

SA-CONTRIB-2014-119 - Google Analytics - Information disclosure

This module enables you to integrate Drupal with Google Analytics. The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on. This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account ...

SA-CONTRIB-2014-121 - Godwin's Law - Cross Site Scripting (XSS)

This module enables you to execute arbitrary Javascript by adding the script to the title of a node. The module doesn't sufficiently sanitize Watchdog messages when viewing the detail view of a specific Watchdog notification. It improperly translated the message rather than using proper Watchdog...

SA-CONTRIB-2014-122 - MoIP - Cross Site Scripting (XSS)

This module enables you to use Moip a Brazilian payment method with Drupal Commerce. The module doesn't sufficiently filter the data passed by the automatic notifications, leaving the possibility for a malicious user to insert Cross Site Scripting xss attacks. This vulnerability is mitigated by t...

SA-CONTRIB-2014-120 - Piwik Web Analytics - Information disclosure

This module enables you to integrate Drupal with Piwik Web Analytics. The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on. This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an accou...

SA-CONTRIB-2014-124 - Poll Chart - Cross Site Scripting (XSS)

This module enables users to have a block displaying the result of the last poll as a chart. The module doesn't sufficiently sanitize poll node titles when displaying the block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create polls and t...

SA-CONTRIB-2014-118 - Administer Users by Role - Access Bypass - Unsupported

This module enables site builders to set up fine-grained permissions for allowing users to edit and delete other users. The module doesn't sufficiently validate access permissions, enabling users who supposedly have limited permissions to grant themselves more permissions. This vulnerability is...

SA-CONTRIB-2014-117 - Hierarchical Select - Cross Site Scripting (XSS)

The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to two Cross Site Scripting XSS vulnerabilities...

SA-CONTRIB-2014-116 - Webform Invitation - Cross Site Scripting (XSS)

This module enables you to create custom invitation codes for Webforms. The module failed to sanitize node titles. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Webform: Create new content", "Webform: Edit own content" and/or "Webform: Edit any...

SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service

This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive...

SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

This project allows you to create various types of tournaments as nodes and associated teams, tournaments, and matches. There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user. It is possible t...

SA-CONTRIB-2014-115 - Form Builder - Cross-Site Scripting (XSS)

The Form Builder module enables users to build entire Form API structures through a graphical, AJAX-like interface. The module doesn't sufficiently sanitize form titles in some cases. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create forms...

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

Session hijacking Drupal 6 and 7 A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content "mixed-mode", but it is possible...

SA-CONTRIB-2014-111 - Protected Pages - Password Protection Bypass

Protected Pages modules allows the administrator to secure any page in your website by password by configuring a add path and the associated password. The module did not sufficiently protect variations on the protected path. CVE identifiers issued CVE-2014-9024 Versions affected Protected Pages...

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)

Node Field module allows you to add custom extra fields to single Drupal nodes. The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes. CVE...

SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass

The Webform component module enables site admins to limit visibility or editability of webform components based on user roles. The module doesn't sufficiently check that disabled component values are not modified upon submission of the form. CVE identifiers issued CVE-2014-9022 Versions affected...

SA-CONTRIB-2014-107 - Scheduler - Cross Site Scripting

The Scheduler module allows nodes to be published and unpublished on specified dates. The module allows administrators to provide additional help text on the content editing form when scheduling is enabled. The module doesn't sufficiently filter the help text which could lead to a Cross Site...

SA-CONTRIB-2014-109 - Freelinking - Cross Site Scripting (XSS)

The Freelinking module implements a filter framework for easier creation of HTML links to other pages on the site or to external sites. The module does not sanitize the node title when providing a link to the node, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated ...

SA-CONTRIB-2014-106 - Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass

This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway's SIM and DPM payment protocols. Access Bypass The module doesn't sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing...

SA-CONTRIB-2014-104 - Addressfield Tokens - Cross Site Scripting

The Addressfield Tokens module extends the Addressfield module by adding full token support. The module doesn't sufficiently filter malicious user input, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

SA-CONTRIB-2014-105 - OG Menu - Access Bypass

OG Menu allows using menus within Organic Groups. The permissions for accessing the module settings were to broad, possibly granting access to users who would normally not be able to change the OG Menu configuration. This vulnerability is mitigated by the fact that an attacker must have a role wi...

SA-CONTRIB-2014-103 - Passwordless - Cross Site Scripting (XSS)

This module replaces the regular Drupal login form with a modification of the password-request form, to give the possibility to log in without using a password. The module doesn't sufficiently sanitize user-generated text entered in the module's configuration form. This vulnerability is mitigated...

SA-CONTRIB-2014-100 - Bad Behavior - Information Disclosure

This module enables you to to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts. Information Disclosure The module doesn't sufficiently sanitize log data, allowing...

SA-CONTRIB-2014-101 - Ubercart - Cross Site Request Forgery

The Ubercart module provides a shopping cart and e-commerce features for Drupal. Cross Site Request Forgery CSRF The country administration links are not properly protected. A malicious user could trick a store administrator into enabling or disabling a country by getting them to visit a...

SA-CONTRIB-2014-099 - Open Atrium Core - Access bypass

The oacore module contains the base access control mechanism for the Open Atrium distribution OA2. In OA2, file attachments are given the same access permission as the node they are attached to. The vulnerability is when an attachment is removed from a node that has Revisions enabled. It allows...

SA-CORE-2014-005 - Drupal core - SQL injection

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the...

SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)

The CKEditor module and its predecessor, FCKeditor module allows Drupal to replace textarea fields with CKEditor 3.x/4.x FCKeditor 2.x in case of FCKeditor module - a visual HTML editor, sometimes called WYSIWYG editor. Both modules define a function, called via an ajax request, that filters text...

SA-CONTRIB-2014-096 - OAuth2 Client - Cross Site Scripting (XSS)

OAuth2 Client is an API support module, enabling other modules to connect to services using OAuth2 authentication. Within its API code the Client class exposes variables in an error message, which originate from a third party source without proper sanitisation thus leading to a Cross Site Scripti...

SA-CONTRIB-2014-102 - Document - Cross Site Scripting

Document module is a basic Document Management System for Drupal. Cross Site Scripting XSS The module wasn't sanitizing user input sufficiently in a few use cases. This vulnerability is mitigated by the the fact that a user must have permissions to add or edit documents to be able to exploit the...

SA-CONTRIB-2014-097 - nodeaccess - Access Bypass

Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. This module enables you to inadvertently allow an author of a node view/edit/delete the node in question who may not have access. The module over-eagerly grants read/write/delete access to all autho...

SA-CONTRIB-2014-092 - Services - Cross Site Scripting, Access bypass

The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. New user's password set to weak password in userresourcecreate When creating a new user account via Services, the new user's password was set to a weak password. This issue is mitigated...

SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)

The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have...

SA-CONTRIB-2014-093 - Twilio - Information Disclosure

This module enables you to easily add SMS and VOIP functionality to your website by leveraging the Twilio cloud Voip and SMS service. The module doesn't expose its own permissions for administration including viewing and editing the Twilio authentication tokens. It relies only on "access...

SA-CONTRIB-2014-095 - Safeword - Cross Site Scripting (XSS)

The safeword module provides an automatically generated 'Machine Name' when text is entered into a human-readable field. The module doesn't sufficiently sanitize the field description that can be used as help text under the machine name editing field. This vulnerability is mitigated by the fact...

SA-CONTRIB-2014-090 - Speech recognition - Multiple vulnerabilities

This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface. Cross Site Scripting XSS The module incorrectly prints fields without proper sanitization thereby opening a Cross Site...

SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)

This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses. Cross Site Scripting XSS When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any...

SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites. Mollom offers a feature to report submitted content as inappropriate...

SA-CONTRIB-2014-089 - Geofield Yandex Maps - Cross Site Scripting (XSS)

The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site. The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting XSS vulnerability. The...

SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure

Drupal Commerce is used to build eCommerce websites and applications of all sizes. The commerceorder module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of...

SA-CONTRIB-2014-085 - Ubercart - Information disclosure

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The per-user order history view is not properly protected. This vulnerability is mitigated by the fact that an attacker must have an account with the "view own orders" permission and can only view order ID...

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates. User input is n...