SA-CONTRIB-2014-083 - Rules Link - Cross Site Scripting (XSS)

This module allows you to create links which trigger arbitrary functionality with the help of the Rules module. The module doesn't sufficiently sanitize the question and description strings when confirmation forms are displayed for triggering Rules links. This vulnerability is mitigated by the fa...

SA-CONTRIB-2014-082 - Marketo MA - Cross Site Scripting (XSS)

The Marketo MA module adds Marketo marketing automation tracking capability to your website as well as the ability to capture lead data during user registration and via webform integration. It consists of a base module as well as Marketo MA User Webform and Marketo MA User sub-modules. The Market...

SA-CONTRIB-2014-081 - Site Banner - Cross Site Scripting (XSS)

The Site Banner module enables you to display a banner at the top and bottom of a Drupal site. This module incorrectly prints existing context settings without proper sanitization, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must...

SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure

The Avatar Uploader enables you to upload user pictures in a user-friendly way, like Quora and Facebook. The module doesn't sufficiently check the picture path when a user crops the picture in the uploader panel allowing a malicious user to make specially crafted requests to obtain sensitive serv...

SA-CONTRIB-2014-079 - RedHen CRM - Cross Site Scripting (XSS)

The RedHen CRM project contains the redhendedup module which enables you to find duplicate contacts in the CRM. The redhendedup module doesn't sufficiently filter administrator-entered text when deduping contacts as which creates a Cross Site Scripting XSS vulnerability. The vulnerability is...

SA-CONTRIB-2014-080 - Social Stats - Cross Site Scripting (XSS)

The Social Stats module enables you to collect statistics from various social networks and use that data with the Views module as field data, sort criteria, or filter criteria. The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persisten...

SA-CONTRIB-2014-077 - TableField - Cross Site Scripting (XSS)

This module enables you to create a field attached to a entity which stores tabular data. The module doesn't sufficiently sanitize the field help text when presented to a privileged user. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

SA-CONTRIB-2014-078 - Notify - Access bypass

The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites. The Notify module does not sufficiently check whether the user has access to recently added or...

SA-CORE-2014-004 - Drupal core - Denial of service

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available xmlrpc.php. The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to rea...

SA-CONTRIB-2014-076 - Fasttoggle - Access bypass

This module enables you to quickly toggle various user, node and field related settings via ajax links. The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn't correctly implement support for the user status allow/block link. This vulnerability is...

SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass

This module provides functionality for AJAX based auto-completion of fields in the Biblio node type provided by the Biblio module using previously entered values and third party services. The submodule "Biblio self autocomplete" for previously entered values doesn't sufficiently sanitize user inp...

SA-CONTRIB-2014-073- Date - Cross Site Scripting (XSS)

Date module provides flexible date/time field type Date field and a Date API that other modules can use. The module incorrectly prints date field titles without proper sanitization thereby opening a Cross Site Scripting XSS vulnerability. The vulnerability is mitigated by the fact that an attacke...

SA-CONTRIB-2014-074 - Storage API - Code execution prevention

Storage API is a low-level framework for managed file storage and serving. The module creates an .htaccess file in the files directory to prevent code execution, but copied the Drupal core file and wasn't updated to include the improved file contents after SA-CORE-2013-003. This vulnerability is...

SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass

The freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as pluginname:identifier. The module doesn't sufficiently check access to content when displaying links to nodes...

SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Denial of service with malicious HTTP Host header Base system - Drupal 6 and 7 - Critical Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header. The HT...

SA-CONTRIB-2014-070 - Password Policy - Access Bypass

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords. Access Bypass 7.x only Password Policy has a Password Change Tab submodule which provides a tab for a user to change their password. Password Policy also has a...

SA-CONTRIB-2014-071 - FileField - Access bypass

The FileField module enables you to define and use fields that contain files. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. This vulnerability is mitigated ...

SA-CONTRIB-2014-069 - Logintoboggan - Access Bypass and Cross Site Scripting (XSS)

This module enables you to customise the standard Drupal registration and login processes. Cross Site Scripting The module doesn't filter user-supplied information from the URL resulting in a reflected Cross Site Scripting XSS vulnerability. Access Bypass The module introduces a concept of a...

SA-CONTRIB-2014-066 - Node Access Keys - Access Bypass

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. It was found that unpublished nodes of content types that that did not have an access key were visible to all. Also, If an unpublished node of a content type that was protected by ...

SA-CONTRIB-2014-067 - Meta Tags Quick - Multiple vulnerabilities

Meta tags quick adds meta tags editing to all non-administrative pages of Drupal site. Redirector abuse in path-based meta tag editing form When editing a path-based meta tag, module does not check destination parameter of the URL, allowing attacker to pass arbitrary URL to meta tag editing form...

SA-CONTRIB-2014-068 - Pane - XSS

This module did not properly sanitize content entered for title. It allowed sufficiently privileged users to add arbitrary HTML which could result in XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks" or ability to ed...

SA-CONTRIB-2014-061 - VideoWhisper Webcam Plugins - Cross Site Scripting (XSS) - Unsupported

Includes multiple modules for video communications including room listing, pay per view access control. The module doesn't sufficiently filter user supplied text from the url reflected cross site scripting. No special permissions are required to exploit this issue. There are no mitigating factors...

SA-CONTRIB-2014-063 - Easy Breadcrumb - Cross Site Scripting (XSS)

The Easy Breadcrumb module generates breadcrumbs from path aliases. This module does not properly sanitize user-supplied values creating a Cross Site Scripting XSS vulnerability. CVE identifiers issued CVE-2014-4505 Versions affected Easy breadcrumbs 7.x-2.x versions prior to 7.x-2.10. Drupal cor...

SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)

The module allows you to define and manage custom meta tags. The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page. This vulnerability is mitigated by the fact that an attacker must have access to an accoun...

SA-CONTRIB-2014-064 -Course - Access bypass

This module enables you to create e-learning courses with any number of requirements for completion. A "Course object" is a relationship entity between a Course and a learning object, such as a Node. The module doesn't sufficiently check access on Course object edit forms. The configuration optio...

SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords. Access bypass and information disclosure 7.x only The module has a history constraint, which when enabled, disallows a user's password from being changed to match a...

SA-CONTRIB-2014-060- Petitions - Cross Site Request Forgery (CSRF)

This distribution enables you to build an application that lets users create and sign petitions. The contained whpetitions module doesn't sufficiently verify the intent of the user when signing a petition. A malicious user could trick another user into signing a petition they did not intend to si...

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Touch Theme is a light weight theme with modern look and feel. The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers...

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass

This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server. There was an issue where a configuration variable did not have consistent default values in the code meaning that in...

SA-CONTRIB-2014-055 - Require Login - Access bypass

This module enables you to restrict access to a site for all non-authenticated users. The module does not protect the front page, thereby exposing any sensitive information on the front page to anonymous users. This vulnerability is mitigated by the fact that private/sensitive information must be...

SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure

Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce. The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is never...

SA-CONTRIB-2014-057 - Password policy - General logic error

This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. Beginning with Password Policy 7.x-1.4, the histo...

SA-CONTRIB-2014-054 - Views - Access Bypass

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module doesn't sufficiently check handler access when returning the list of handlers from viewplugindisplay::gethandlers. The...

SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass

The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider. The module doesn't sufficiently validate incoming payment notification IPN messages. Sending a specifically crafted IPN message to an affected site allows an attacker to crea...

SA-CONTRIB-2014-053 - Field API Tab Editor (FATE) - Access bypass

This module allows each entity field to be individually edited via its own custom page, accessible via a tab on the entity's page. The module returns an incorrect value to hookmenu if the current user does not have access to edit the entity. This allows users who would not normally have access to...

SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)

The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration. The module does not properly filter address field values, resulting in a Cross Site Scripting XSS vulnerabili...

SA-CONTRIB-2014-051 - Realname Registration - Information Disclosure

This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names. Any user...

SA-CONTRIB-2014-049 - Organic Groups (OG) - Access Bypass

Organic groups OG enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. OG doesn't sufficiently check the permissions when a group member is pending or blocked status within the gro...

SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass

This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module. The module doesn't sufficiently verify the user has access to modify the entity the field is...

SA-CONTRIB-2014-046 - Context Form Alteration - Cross Site Scripting (XSS)

The Context Form Alteration module enables admins to alter forms via Context reactions. The module doesn't sufficiently sanitize user input entered within the Context configuration UI. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

SA-CONTRIB-2014-047 - Zen - Cross Site Scripting

The Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design. The theme does not properly sanitize theme settings before they are used in the output of a page. Themes that have copied code from Zen's template.php may suffer from this same issue. If you...

SA-CONTRIB-2014-045 - Drupal Commons - Multiple Vulnerabilities

This SA contains two patches against Drupal Commons Views Bulk Operations Access Bypass Drupal commons comes with a view to moderate reported content, which is intended for authenticated users to view which content has been reported. Since it has hard coded VBO operations within the view, and...

SA-CONTRIB-2014-044 - Professional Theme - Cross Site Scripting (XSS)

Professional Theme is a modern and professional Drupal theme. The theme does not sufficiently sanitize theme settings input for custom copyright information This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers issue...

SA-CONTRIB-2014-043 - Custom Search - Cross Site Scripting (XSS)

The Custom Search module alters the default search box to provide some options like in advanced search, but directly in the search box. The module doesn't sanitize taxonomy vocabulary labels before display leading to a persistent cross site scripting XSS vulnerability. This vulnerability is...

SA-CONTRIB-2014-042 - Internationalization - Access Bypass

This module enables you to build multilingual Drupal sites providing missing translation features for Drupal core. The module doesn't sufficiently check content access permissions and under certain circumstances allows users with the "access content" permission to see path aliases from unpublishe...

SA-CORE-2014-002 - Drupal core - Information Disclosure

Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server. When pages are cached for...

SA-CONTRIB-2014-041 - Block Search - SQL Injection

Block Search module provides an alternative way of managing blocks. The module doesn't properly use Drupal's database API resulting in user-provided strings being passed directly to the database allowing SQL Injection. This vulnerability is mitigated by the fact that an attacker must either use a...

SA-CONTRIB-2014-040 - Skeleton theme - Cross Site Scripting

The Skeleton theme is a responsive Drupal theme, built upon the Skeleton Boilerplate. The Skeleton theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

SA-CONTRIB-2014-038 - SimpleCorp theme - Cross Site Scripting

SimpleCorp theme is a free responsive Drupal theme. The SimpleCorp theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers...

SA-CONTRIB-2014-037 - BlueMasters - Cross Site Scripting

Bluemasters is a responsive layout theme for Drupal 7. The Bluemasters theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifie...