Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2015/02/04 12:0 a.m.14 views

SA-CONTRIB-2015-034 - Commerce WeDeal - Open Redirect

Commerce WeDeal module enables you to do Commerce payments through the payment provider WeDeal. The module doesn't sufficiently check a query parameter used for page redirection, thereby leading to an Open Redirect vulnerability. CVE identifiers issued CVE-2015-3393 Versions affected Commerce...

5.8CVSS6.4AI score0.01204EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/28 12:0 a.m.20 views

SA-CONTRIB-2015-030 - Amazon AWS - Access bypass

Amazon AWS module provides integration with Amazon Web Services AWS. A malicious user could potentially guess an access token and trigger the creation of new backups by making a request to a specially-crafted URL. If the number of stored backups was limited, an attacker could exceed the limit by...

5CVSS6.1AI score0.02087EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/28 12:0 a.m.16 views

SA-CONTRIB-2015-033 - Certify - Access bypass and information disclosure

Certify enables you to automatically issue PDF certificates to users upon completion of a set of conditions. The module does not sufficiently check node access when showing and creating the PDF certificates. This can lead to users seeing certificates they should not have access to. This...

4CVSS6.3AI score0.00699EPSS
Exploits0References11
Drupal
Drupal
added 2015/01/28 12:0 a.m.31 views

SA-CONTRIB-2015-031 - GD Infinite Scroll - Multiple vulnerabilites

GD Infinite Scroll module enables you to use the "infinite scroll jQuery plugin : auto-pager" on custom pages. Some links were not protected against CSRF. A malicious user could cause another user with the "edit gd infinite scroll settings" permission to delete settings by getting his browser to...

6.8CVSS5.5AI score0.01148EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/28 12:0 a.m.34 views

SA-CONTRIB-2015-032 - Node Invite - Multiple vulnerabilities

Node Invite module enables you to invite people to RSVP on node types that have been configured to represent events. The module doesn't sufficiently sanitize the titles of nodes in some listings, allowing a malicious user to inject code, thereby leading to a Cross Site Scripting XSS vulnerability...

6.8CVSS5.5AI score0.01204EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/21 12:0 a.m.23 views

SA-CONTRIB-2015-029 - Corner - Cross Site Request Forgery (CSRF) - Unsupported

This module enables you to add configurable corners to your site. A malicious user can cause an administrator to enable and disable corners by getting the administrator's browser to make a request to a specially-crafted URL while the administrator is logged in. CVE identifiers issued CVE-2015-337...

5.8CVSS6.3AI score0.00649EPSS
Exploits0References8
Drupal
Drupal
added 2015/01/21 12:0 a.m.27 views

SA-CONTRIB-2015-025 - Patterns - Cross Site Request Forgery (CSRF)

Patterns module manages and automates site configuration. Site configurations stored in XML or YAML are called Patterns, and these are easy to read, modify, manage & share and can be executed manually or as a part of an automated web site deployment. Some links were not protected against CSRF. A...

6.8CVSS6.1AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/21 12:0 a.m.23 views

SA-CONTRIB-2015-026 - Taxonews - Cross Site Scripting (XSS)

This module enables you to create blocks of nodes carrying a given taxonomy term. The module doesn't sufficiently escape term names in the blocks it builds leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

3.5CVSS5.5AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/21 12:0 a.m.15 views

SA-CONTRIB-2015-027 - Quizzler - Cross Site Scripting (XSS)

The Quizzler module allows you to create online quizzes and tests. Quizzes are nodes with questions attached. The module does not sanitize user input in the node title when displaying it on the page, allowing a malicious user to inject code, a Cross Site Scripting XSS attack. This vulnerability i...

3.5CVSS5.5AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/21 12:0 a.m.26 views

SA-CONTRIB-2015-028 - Shibboleth Authentication - Cross Site Request Forgery (CSRF)

Shibboleth Authentication module allows users to log in and get permissions based on federated SAML2 authentication. The roles that are assigned to users are based on a matching list. A malicious attacker can delete matching rules from the list by getting the administrator's browser to make a...

5.8CVSS6.5AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/21 12:0 a.m.20 views

SA-CONTRIB-2015-023 - Classified Ads - Cross Site Scripting (XSS)

Classified Ads module enables administrators to create classified ads in various categories. The module doesn't correctly escape the category names in its administration user interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/21 12:0 a.m.22 views

SA-CONTRIB-2015-024 - Alfresco - Cross Site Request Forgery (CSRF)

The Alfresco module provides integration between Drupal and Alfresco via Content Management Web Services SOAP and Repository RESTful API. The Alfresco Browser submodule provides an AJAX-based repository browser that allows users to visualize, upload, search and retrieve nodes from the Alfresco...

5.8CVSS6.2AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/14 12:0 a.m.22 views

SA-CONTRIB-2015-018 - Video - Cross Site Scripting (XSS)

This module enables you to upload, convert and playback videos. The module doesn't sufficiently sanitize node titles when using the video WYSIWYG plugin, thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with th...

3.5CVSS5.7AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/14 12:0 a.m.25 views

SA-CONTRIB-2015-021 - Content Analysis - Cross Site Scripting (XSS)

The Content Analysis module is an API designed to help modules that need to analyze content. The module fails to sanitize user input in log messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that only sites with dblog module enabled are...

4.3CVSS5.6AI score0.01184EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/14 12:0 a.m.18 views

SA-CONTRIB-2015-017 - Room Reservations - Cross Site Scripting (XSS)

Room Reservations module enables you to manage a room reservation system. The module doesn't sufficiently sanitize the node title of "Room Reservations Category" nodes and the body of "Room Reservations Room" nodes, thereby leading to a Cross Site Scripting XSS vulnerability. This vulnerability i...

3.5CVSS5.7AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/14 12:0 a.m.29 views

SA-CONTRIB-2015-014 - Wishlist - Multiple vulnerabilities

The Wishlist module enables authorized users to create wishlist nodes which describe items they would like for a special occasion. Also, it allows users to indicate their intention to purchase items for other users. The module fails to sanitize user input in log messages, leading to a Cross Site...

6.8CVSS5.5AI score0.00656EPSS
Exploits0References11
Drupal
Drupal
added 2015/01/14 12:0 a.m.25 views

SA-CONTRIB-2015-016 - Tadaa! - Multiple vulnerabilities

Tadaa! is a module aimed at simplifying the process of enabling/disabling modules and altering configuration when switching between different environments, e.g. Production/Staging/Development. The module exposes multiple paths that were not protected against Cross Site Request Forgeries CSRF. A...

6.8CVSS6.2AI score0.01204EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/14 12:0 a.m.22 views

SA-CONTRIB-2015-020 - Contact Form Fields - Cross Site Request Forgery (CSRF)

The Contact Form Fields module enables you to create additional fields to site-wide contact form. Some links were not properly protected from CSRF. A malicious user could cause an administrator to delete fields by getting the administrator's browser to make a request to a specially-crafted URL...

6.8CVSS6.3AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/14 12:0 a.m.23 views

SA-CONTRIB-2015-019 - Ubercart Currency Conversion - Open Redirect

This module enables users to change the currency of Ubercart products. When switching the currency, the user is redirected to a page specified in the destination query parameter. The module was not checking that the passed argument was an internal URL, thereby leading to an open redirect...

5.8CVSS6.3AI score0.01204EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/14 12:0 a.m.24 views

SA-CONTRIB-2015-015 - Term Merge - Cross Site Scripting (XSS)

This module enables you to merge synonymous taxonomy terms among themselves. The module doesn't sufficiently filter user input under certain conditions, thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must be able to create...

3.5CVSS5.6AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/14 12:0 a.m.23 views

SA-CONTRIB-2015-022 - nodeauthor - Cross Site Scripting (XSS) - Unsupported

This module displays node author information in a jQuery slider. The module doesn't sufficiently sanitize Profile2 fields in a provided block. This vulnerability is mitigated by the fact that an attacker must have a user account allowed to edit profile fields. CVE identifiers issued CVE-2015-3365...

3.5CVSS6AI score0.00954EPSS
Exploits0References8
Drupal
Drupal
added 2015/01/07 12:0 a.m.22 views

SA-CONTRIB-2015-005 - WikiWiki - SQL injection

WikiWiki module gives you one place to create, share and find wiki pages in your site. The module did not sanitize user input inside a database query thereby leading to a SQL Injection vulnerability. CVE identifiers issued CVE-2015-3346 Versions affected WikiWiki 6.x-1.x versions prior to 6.x-1.2...

7.5CVSS7.4AI score0.01285EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/07 12:0 a.m.23 views

SA-CONTRIB-2015-012 - Jammer - Cross Site Request Forgery (CSRF)

This module enables you to hide or remove items from displaying including the node and comment preview buttons, node delete button, revision log textarea, workflow form on the workflow tab, and feed icon. The report administration links are not properly protected from CSRF. A malicious user could...

6.8CVSS5.8AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.23 views

SA-CONTRIB-2015-008 - Batch Jobs - Cross Site Request Forgery (CSRF)

The Batch Jobs project is a scalable way to execute a list of tasks. Links that take actions on batch jobs are not protected from Cross Site Request Forgery CSRF. A malicious individual could cause a user that has permission to access a particular batch job or an administrator to delete the recor...

6.8CVSS6.9AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/07 12:0 a.m.27 views

SA-CONTRIB-2015-003 - PHPlist Integration Module - SQL Injection

The PHPlist Integration module provides an integration between a Drupal website and phpList newsletter manager. The module provides two main features: user sync and sending a node as a newsletter. The module introduces a SQL Injection vulnerability to the phpList database. The Drupal database is...

6.5CVSS7.4AI score0.00891EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.23 views

SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)

Course module enables you to create e-learning courses with any number of requirements for completion. The module doesn't sufficiently filter node title displays when being used in a course. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to creat...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References11
Drupal
Drupal
added 2015/01/07 12:0 a.m.20 views

SA-CONTRIB-2015-006 - Cloudwords for Multilingual Drupal - Multiple vulnerabilities

This module provides integration with the Cloudwords third-party service. The module was not sanitizing node titles on certain conditions, thereby leading to a Cross Site Scripting XSS vulnerability. Also, a menu callback was not protected against CSRF. The XSS vulnerability is mitigated by the...

6.8CVSS5.1AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.16 views

SA-CONTRIB-2015-007 - Htaccess - Cross Site Request Forgery (CSRF)

The Htaccess module allows the creation and deployment of .htaccess files based on custom settings. Some administration links were not properly protected from Cross Site Request Forgery CSRF. A malicious user could cause an administrator to deploy or delete .htaccess files by getting the...

6.8CVSS6.5AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.20 views

SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF)

Todo Filter module provides an input filter to display check-boxes that can be used as a task list. Some paths were not protected against CSRF, meaning that an attacker could cause users to toggle tasks they did not intend to toggle by getting the user's browser to make a request to a...

6.8CVSS6.3AI score0.00656EPSS
Exploits0References11
Drupal
Drupal
added 2015/01/07 12:0 a.m.20 views

SA-CONTRIB-2015-009 - Linkit - Cross Site Scripting (XSS)

Linkit provides an easy interface for internal and external linking with wysiwyg editors and fields by using an autocomplete field. The module doesn't sufficiently sanitize node titles in the result list if the node search plugin is enabled. This vulnerability is mitigated by the fact that an...

2.1CVSS6.4AI score0.0114EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.26 views

SA-CONTRIB-2015-004 - Context - Open Redirect

Context allows you to manage contextual conditions and reactions for different portions of your site. Context UI module wasn't checking for external URLs in the HTTP GET destination parameter when redirecting users that are activating/deactivating the Context UI inline editor dialog, thereby...

5.8CVSS6.1AI score0.0219EPSS
Exploits0References11
Drupal
Drupal
added 2015/01/07 12:0 a.m.24 views

SA-CONTRIB-2015-001 - OPAC - Cross Site Request Forgery (CSRF)

OPAC module enables you to create mappings between node fields and ILS record fields. The module doesn't ask for confirmation when removing a mapping, leaving this operation vulnerable to cross-site request forgery CSRF attacks. CVE identifiers issued CVE-2015-3343 Versions affected OPAC 7.x-2.x...

6.8CVSS6.5AI score0.00656EPSS
Exploits0References9
Drupal
Drupal
added 2015/01/07 12:0 a.m.19 views

SA-CONTRIB-2015-010 - Log Watcher - Cross Site Request Forgery (CSRF)

Log Watcher allows you to monitor your site logs in a systematic way by setting up scheduled aggregations for specific log types. The report administration links are not properly protected from CSRF. A malicious user could cause a log administrator to enable, disable, or delete a Log Watcher repo...

6.8CVSS6.2AI score0.00656EPSS
Exploits0References10
Drupal
Drupal
added 2015/01/07 12:0 a.m.21 views

SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS)

This module enables you to use a different label for displaying fields from the label used when viewing the field in a form. The module doesn't sufficiently sanitize the alternate field label in content types settings. This vulnerability is mitigated by the fact that an attacker must have a role...

3.5CVSS6.3AI score0.00965EPSS
Exploits0References9
Drupal
Drupal
added 2014/12/17 12:0 a.m.11 views

SA-CONTRIB-2014-128 - Organic Groups Menu - Access bypass

This module enables you to associate menus with Organic Groups OG. It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc. The module doesn't sufficiently check the menu parameters passed...

6.7AI score
Exploits0References13
Drupal
Drupal
added 2014/12/17 12:0 a.m.19 views

SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS)

School Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system. The module failed to sanitize some node titles in messages, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...

3.5CVSS5.7AI score0.00976EPSS
Exploits1References11
Drupal
Drupal
added 2014/12/17 12:0 a.m.31 views

SA-CONTRIB-2014-126 - Open Atrium - Multiple vulnerabilities

This distribution enables you to create an intranet. Several of the sub modules included do not prevent CSRF on several menu callbacks. Open Atrium Discussion also does not exit correctly after checking access on a several ajax callbacks, allowing anyone with "access content" to update and delete...

8.8CVSS7.2AI score0.01612EPSS
Exploits0References12
Drupal
Drupal
added 2014/12/10 12:0 a.m.14 views

SA-CONTRIB-2014-118 - Administer Users by Role - Access Bypass - Unsupported

This module enables site builders to set up fine-grained permissions for allowing users to edit and delete other users. The module doesn't sufficiently validate access permissions, enabling users who supposedly have limited permissions to grant themselves more permissions. This vulnerability is...

6.8AI score
Exploits0References10
Drupal
Drupal
added 2014/12/10 12:0 a.m.21 views

SA-CONTRIB-2014-124 - Poll Chart - Cross Site Scripting (XSS)

This module enables users to have a block displaying the result of the last poll as a chart. The module doesn't sufficiently sanitize poll node titles when displaying the block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create polls and t...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
added 2014/12/10 12:0 a.m.19 views

SA-CONTRIB-2014-123 - Postal Code - Cross Site Scripting (XSS)

The Postal Code module enables you to implement postal code validation for several countries. The module doesn't sufficiently sanitize certain data in the admin thereby opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

6.5AI score
Exploits0References12
Drupal
Drupal
added 2014/12/10 12:0 a.m.14 views

SA-CONTRIB-2014-119 - Google Analytics - Information disclosure

This module enables you to integrate Drupal with Google Analytics. The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on. This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an account ...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2014/12/10 12:0 a.m.20 views

SA-CONTRIB-2014-120 - Piwik Web Analytics - Information disclosure

This module enables you to integrate Drupal with Piwik Web Analytics. The module leaks the site specific hash salt to authenticated users when user-id tracking is turned on. This vulnerability is mitigated by the fact that user-id tracking must be turned on and the attacker needs to have an accou...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2014/12/10 12:0 a.m.8 views

SA-CONTRIB-2014-125 - Organic Groups Menu - Access bypass

This module enables you to associate menus with Organic Groups OG. It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity form, etc. The module doesn't sufficiently check the menu parameters passed...

6.7AI score
Exploits0References14
Drupal
Drupal
added 2014/12/10 12:0 a.m.25 views

SA-CONTRIB-2014-122 - MoIP - Cross Site Scripting (XSS)

This module enables you to use Moip a Brazilian payment method with Drupal Commerce. The module doesn't sufficiently filter the data passed by the automatic notifications, leaving the possibility for a malicious user to insert Cross Site Scripting xss attacks. This vulnerability is mitigated by t...

4.3CVSS6AI score0.01161EPSS
Exploits0References11
Drupal
Drupal
added 2014/12/10 12:0 a.m.20 views

SA-CONTRIB-2014-121 - Godwin's Law - Cross Site Scripting (XSS)

This module enables you to execute arbitrary Javascript by adding the script to the title of a node. The module doesn't sufficiently sanitize Watchdog messages when viewing the detail view of a specific Watchdog notification. It improperly translated the message rather than using proper Watchdog...

3.5CVSS7AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/12/03 12:0 a.m.17 views

SA-CONTRIB-2014-117 - Hierarchical Select - Cross Site Scripting (XSS)

The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to two Cross Site Scripting XSS vulnerabilities...

3.5CVSS5.9AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/12/03 12:0 a.m.19 views

SA-CONTRIB-2014-116 - Webform Invitation - Cross Site Scripting (XSS)

This module enables you to create custom invitation codes for Webforms. The module failed to sanitize node titles. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Webform: Create new content", "Webform: Edit own content" and/or "Webform: Edit any...

3.5CVSS6.4AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
added 2014/11/19 12:0 a.m.653 views

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

Session hijacking Drupal 6 and 7 A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content "mixed-mode", but it is possible...

6.8CVSS6.2AI score0.82234EPSS
Exploits3References20
Drupal
Drupal
added 2014/11/19 12:0 a.m.22 views

SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

This project allows you to create various types of tournaments as nodes and associated teams, tournaments, and matches. There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user. It is possible t...

4.3CVSS5.8AI score0.01171EPSS
Exploits0References10
Drupal
Drupal
added 2014/11/19 12:0 a.m.27 views

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)

Node Field module allows you to add custom extra fields to single Drupal nodes. The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes. CVE...

3.5CVSS6.3AI score0.00954EPSS
Exploits0References13
Total number of security vulnerabilities1940