Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2014/11/19 12:0 a.m.13 views

SA-CONTRIB-2014-115 - Form Builder - Cross-Site Scripting (XSS)

The Form Builder module enables users to build entire Form API structures through a graphical, AJAX-like interface. The module doesn't sufficiently sanitize form titles in some cases. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create forms...

7AI score
Exploits0References11
Drupal
Drupal
added 2014/11/19 12:0 a.m.28 views

SA-CONTRIB-2014-111 - Protected Pages - Password Protection Bypass

Protected Pages modules allows the administrator to secure any page in your website by password by configuring a add path and the associated password. The module did not sufficiently protect variations on the protected path. CVE identifiers issued CVE-2014-9024 Versions affected Protected Pages...

7.5CVSS6.5AI score0.01319EPSS
Exploits0References12
Drupal
Drupal
added 2014/11/19 12:0 a.m.36 views

SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service

This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core. A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive...

5CVSS6.4AI score0.82234EPSS
Exploits3References13
Drupal
Drupal
added 2014/11/12 12:0 a.m.21 views

SA-CONTRIB-2014-108 - Webform Component Roles - Access Bypass

The Webform component module enables site admins to limit visibility or editability of webform components based on user roles. The module doesn't sufficiently check that disabled component values are not modified upon submission of the form. CVE identifiers issued CVE-2014-9022 Versions affected...

6.4CVSS6.4AI score0.01523EPSS
Exploits0References10
Drupal
Drupal
added 2014/11/12 12:0 a.m.8 views

SA-CONTRIB-2014-107 - Scheduler - Cross Site Scripting

The Scheduler module allows nodes to be published and unpublished on specified dates. The module allows administrators to provide additional help text on the content editing form when scheduling is enabled. The module doesn't sufficiently filter the help text which could lead to a Cross Site...

6.2AI score
Exploits0References11
Drupal
Drupal
added 2014/11/12 12:0 a.m.14 views

SA-CONTRIB-2014-109 - Freelinking - Cross Site Scripting (XSS)

The Freelinking module implements a filter framework for easier creation of HTML links to other pages on the site or to external sites. The module does not sanitize the node title when providing a link to the node, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated ...

6.1AI score
Exploits0References9
Drupal
Drupal
added 2014/10/29 12:0 a.m.15 views

SA-CONTRIB-2014-106 - Commerce Authorize.Net SIM/DPM Payment Methods - Access Bypass

This module provides payment methods for the Drupal Commerce package to permit the use of the Authorize.Net payment gateway's SIM and DPM payment protocols. Access Bypass The module doesn't sufficiently protect the Drupal Commerce order number passed to the Authorize.Net payment gateway, allowing...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2014/10/29 12:0 a.m.15 views

SA-CONTRIB-2014-104 - Addressfield Tokens - Cross Site Scripting

The Addressfield Tokens module extends the Addressfield module by adding full token support. The module doesn't sufficiently filter malicious user input, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.2AI score
Exploits0References11
Drupal
Drupal
added 2014/10/29 12:0 a.m.28 views

SA-CONTRIB-2014-105 - OG Menu - Access Bypass

OG Menu allows using menus within Organic Groups. The permissions for accessing the module settings were to broad, possibly granting access to users who would normally not be able to change the OG Menu configuration. This vulnerability is mitigated by the fact that an attacker must have a role wi...

3.5CVSS6.4AI score0.00951EPSS
Exploits0References9
Drupal
Drupal
added 2014/10/29 12:0 a.m.13 views

SA-CONTRIB-2014-103 - Passwordless - Cross Site Scripting (XSS)

This module replaces the regular Drupal login form with a modification of the password-request form, to give the possibility to log in without using a password. The module doesn't sufficiently sanitize user-generated text entered in the module's configuration form. This vulnerability is mitigated...

7AI score
Exploits0References10
Drupal
Drupal
added 2014/10/22 12:0 a.m.14 views

SA-CONTRIB-2014-101 - Ubercart - Cross Site Request Forgery

The Ubercart module provides a shopping cart and e-commerce features for Drupal. Cross Site Request Forgery CSRF The country administration links are not properly protected. A malicious user could trick a store administrator into enabling or disabling a country by getting them to visit a...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2014/10/22 12:0 a.m.26 views

SA-CONTRIB-2014-100 - Bad Behavior - Information Disclosure

This module enables you to to target any malicious software directed at a Web site, whether it be a spambot, ill-designed search engine bot, or system crackers. It blocks such access and then logs their attempts. Information Disclosure The module doesn't sufficiently sanitize log data, allowing...

4CVSS6.4AI score0.01218EPSS
Exploits0References11
Drupal
Drupal
added 2014/10/15 12:0 a.m.778 views

SA-CORE-2014-005 - Drupal core - SQL injection

Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the...

7.5CVSS7.6AI score0.99974EPSS
Exploits20References14
Drupal
Drupal
added 2014/10/15 12:0 a.m.14 views

SA-CONTRIB-2014-098 - CKEditor - Cross Site Scripting (XSS)

The CKEditor module and its predecessor, FCKeditor module allows Drupal to replace textarea fields with CKEditor 3.x/4.x FCKeditor 2.x in case of FCKeditor module - a visual HTML editor, sometimes called WYSIWYG editor. Both modules define a function, called via an ajax request, that filters text...

5.7AI score
Exploits0References12
Drupal
Drupal
added 2014/10/15 12:0 a.m.25 views

SA-CONTRIB-2014-099 - Open Atrium Core - Access bypass

The oacore module contains the base access control mechanism for the Open Atrium distribution OA2. In OA2, file attachments are given the same access permission as the node they are attached to. The vulnerability is when an attachment is removed from a node that has Revisions enabled. It allows...

5CVSS6.4AI score0.01209EPSS
Exploits0References9
Drupal
Drupal
added 2014/10/08 12:0 a.m.13 views

SA-CONTRIB-2014-102 - Document - Cross Site Scripting

Document module is a basic Document Management System for Drupal. Cross Site Scripting XSS The module wasn't sanitizing user input sufficiently in a few use cases. This vulnerability is mitigated by the the fact that a user must have permissions to add or edit documents to be able to exploit the...

6.6AI score
Exploits0References12
Drupal
Drupal
added 2014/10/08 12:0 a.m.13 views

SA-CONTRIB-2014-096 - OAuth2 Client - Cross Site Scripting (XSS)

OAuth2 Client is an API support module, enabling other modules to connect to services using OAuth2 authentication. Within its API code the Client class exposes variables in an error message, which originate from a third party source without proper sanitisation thus leading to a Cross Site Scripti...

6.9AI score
Exploits0References10
Drupal
Drupal
added 2014/10/08 12:0 a.m.12 views

SA-CONTRIB-2014-097 - nodeaccess - Access Bypass

Nodeaccess is a Drupal access control module which provides view, edit and delete access to nodes. This module enables you to inadvertently allow an author of a node view/edit/delete the node in question who may not have access. The module over-eagerly grants read/write/delete access to all autho...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2014/09/24 12:0 a.m.11 views

SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)

The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have...

6.9AI score
Exploits0References15
Drupal
Drupal
added 2014/09/24 12:0 a.m.20 views

SA-CONTRIB-2014-093 - Twilio - Information Disclosure

This module enables you to easily add SMS and VOIP functionality to your website by leveraging the Twilio cloud Voip and SMS service. The module doesn't expose its own permissions for administration including viewing and editing the Twilio authentication tokens. It relies only on "access...

5.5CVSS6.6AI score0.00966EPSS
Exploits0References9
Drupal
Drupal
added 2014/09/24 12:0 a.m.31 views

SA-CONTRIB-2014-092 - Services - Cross Site Scripting, Access bypass

The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. New user's password set to weak password in userresourcecreate When creating a new user account via Services, the new user's password was set to a weak password. This issue is mitigated...

7.5CVSS5.8AI score0.02331EPSS
Exploits0References13
Drupal
Drupal
added 2014/09/23 12:0 a.m.16 views

SA-CONTRIB-2014-095 - Safeword - Cross Site Scripting (XSS)

The safeword module provides an automatically generated 'Machine Name' when text is entered into a human-readable field. The module doesn't sufficiently sanitize the field description that can be used as help text under the machine name editing field. This vulnerability is mitigated by the fact...

7AI score
Exploits0References10
Drupal
Drupal
added 2014/09/17 12:0 a.m.11 views

SA-CONTRIB-2014-089 - Geofield Yandex Maps - Cross Site Scripting (XSS)

The Geofield Yandex Maps module provides a Geofield widget, Geofield formatter, Views handler, Form element and Text filter to allow Yandex maps to be added to a site. The module does not sufficiently filter user-supplied text, resulting in a persistent Cross Site Scripting XSS vulnerability. The...

6.2AI score
Exploits0References10
Drupal
Drupal
added 2014/09/17 12:0 a.m.12 views

SA-CONTRIB-2014-090 - Speech recognition - Multiple vulnerabilities

This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface. Cross Site Scripting XSS The module incorrectly prints fields without proper sanitization thereby opening a Cross Site...

6.3AI score
Exploits0References11
Drupal
Drupal
added 2014/09/17 12:0 a.m.16 views

SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

Mollom is an "intelligent" content moderation web service which determines if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster across multiple sites. Mollom offers a feature to report submitted content as inappropriate...

6AI score
Exploits0References12
Drupal
Drupal
added 2014/09/17 12:0 a.m.18 views

SA-CONTRIB-2014-091 - Survey Builder - Cross Site Scripting (XSS)

This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses. Cross Site Scripting XSS When viewing surveys at "/surveys", the survey titles printed out are not sanitized. Any...

6.7AI score
Exploits0References11
Drupal
Drupal
added 2014/09/10 12:0 a.m.15 views

SA-CONTRIB-2014-086 - Custom BreadCrumbs - Cross Site Scripting (XSS)

Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates. User input is n...

5.4AI score
Exploits0References12
Drupal
Drupal
added 2014/09/10 12:0 a.m.29 views

SA-CONTRIB-2014-085 - Ubercart - Information disclosure

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The per-user order history view is not properly protected. This vulnerability is mitigated by the fact that an attacker must have an account with the "view own orders" permission and can only view order ID...

4CVSS6.4AI score0.00937EPSS
Exploits0References10
Drupal
Drupal
added 2014/09/10 12:0 a.m.27 views

SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure

Drupal Commerce is used to build eCommerce websites and applications of all sizes. The commerceorder module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of...

5CVSS5.9AI score0.01173EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/27 12:0 a.m.15 views

SA-CONTRIB-2014-083 - Rules Link - Cross Site Scripting (XSS)

This module allows you to create links which trigger arbitrary functionality with the help of the Rules module. The module doesn't sufficiently sanitize the question and description strings when confirmation forms are displayed for triggering Rules links. This vulnerability is mitigated by the fa...

2.1CVSS6.5AI score0.00949EPSS
Exploits0References7
Drupal
Drupal
added 2014/08/20 12:0 a.m.28 views

SA-CONTRIB-2014-080 - Social Stats - Cross Site Scripting (XSS)

The Social Stats module enables you to collect statistics from various social networks and use that data with the Views module as field data, sort criteria, or filter criteria. The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persisten...

2.1CVSS5.9AI score0.00941EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/20 12:0 a.m.12 views

SA-CONTRIB-2014-079 - RedHen CRM - Cross Site Scripting (XSS)

The RedHen CRM project contains the redhendedup module which enables you to find duplicate contacts in the CRM. The redhendedup module doesn't sufficiently filter administrator-entered text when deduping contacts as which creates a Cross Site Scripting XSS vulnerability. The vulnerability is...

6.2AI score
Exploits0References11
Drupal
Drupal
added 2014/08/20 12:0 a.m.17 views

SA-CONTRIB-2014-084 - Avatar Uploader - Information Disclosure

The Avatar Uploader enables you to upload user pictures in a user-friendly way, like Quora and Facebook. The module doesn't sufficiently check the picture path when a user crops the picture in the uploader panel allowing a malicious user to make specially crafted requests to obtain sensitive serv...

4CVSS6.3AI score0.01481EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/20 12:0 a.m.16 views

SA-CONTRIB-2014-082 - Marketo MA - Cross Site Scripting (XSS)

The Marketo MA module adds Marketo marketing automation tracking capability to your website as well as the ability to capture lead data during user registration and via webform integration. It consists of a base module as well as Marketo MA User Webform and Marketo MA User sub-modules. The Market...

3.5CVSS5.6AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/20 12:0 a.m.16 views

SA-CONTRIB-2014-081 - Site Banner - Cross Site Scripting (XSS)

The Site Banner module enables you to display a banner at the top and bottom of a Drupal site. This module incorrectly prints existing context settings without proper sanitization, opening a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must...

3.5CVSS5.7AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/13 12:0 a.m.27 views

SA-CONTRIB-2014-078 - Notify - Access bypass

The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites. The Notify module does not sufficiently check whether the user has access to recently added or...

4CVSS6.3AI score0.00937EPSS
Exploits0References10
Drupal
Drupal
added 2014/08/13 12:0 a.m.30 views

SA-CONTRIB-2014-077 - TableField - Cross Site Scripting (XSS)

This module enables you to create a field attached to a entity which stores tabular data. The module doesn't sufficiently sanitize the field help text when presented to a privileged user. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References9
Drupal
Drupal
added 2014/08/06 12:0 a.m.22 views

SA-CONTRIB-2014-075 - Biblio Autocomplete - SQL injection and Access Bypass

This module provides functionality for AJAX based auto-completion of fields in the Biblio node type provided by the Biblio module using previously entered values and third party services. The submodule "Biblio self autocomplete" for previously entered values doesn't sufficiently sanitize user inp...

7.5CVSS6.8AI score0.02357EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/06 12:0 a.m.16 views

SA-CONTRIB-2014-076 - Fasttoggle - Access bypass

This module enables you to quickly toggle various user, node and field related settings via ajax links. The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn't correctly implement support for the user status allow/block link. This vulnerability is...

5.8CVSS6.4AI score0.01051EPSS
Exploits0References11
Drupal
Drupal
added 2014/08/06 12:0 a.m.663 views

SA-CORE-2014-004 - Drupal core - Denial of service

Drupal 6 and Drupal 7 include an XML-RPC endpoint which is publicly available xmlrpc.php. The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site's database to rea...

6.8CVSS6.5AI score0.24385EPSS
Exploits3References21
Drupal
Drupal
added 2014/07/30 12:0 a.m.25 views

SA-CONTRIB-2014-074 - Storage API - Code execution prevention

Storage API is a low-level framework for managed file storage and serving. The module creates an .htaccess file in the files directory to prevent code execution, but copied the Drupal core file and wasn't updated to include the improved file contents after SA-CORE-2013-003. This vulnerability is...

9.8CVSS9.5AI score0.0402EPSS
Exploits0References11
Drupal
Drupal
added 2014/07/30 12:0 a.m.28 views

SA-CONTRIB-2014-073- Date - Cross Site Scripting (XSS)

Date module provides flexible date/time field type Date field and a Date API that other modules can use. The module incorrectly prints date field titles without proper sanitization thereby opening a Cross Site Scripting XSS vulnerability. The vulnerability is mitigated by the fact that an attacke...

3.5CVSS5.4AI score0.01417EPSS
Exploits0References9
Drupal
Drupal
added 2014/07/23 12:0 a.m.22 views

SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass

The freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as pluginname:identifier. The module doesn't sufficiently check access to content when displaying links to nodes...

4.3CVSS6.1AI score0.01191EPSS
Exploits0References10
Drupal
Drupal
added 2014/07/16 12:0 a.m.21 views

SA-CONTRIB-2014-071 - FileField - Access bypass

The FileField module enables you to define and use fields that contain files. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files. This vulnerability is mitigated ...

4CVSS6.5AI score0.0162EPSS
Exploits0References14
Drupal
Drupal
added 2014/07/16 12:0 a.m.664 views

SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Denial of service with malicious HTTP Host header Base system - Drupal 6 and 7 - Critical Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header. The HT...

5CVSS6.8AI score0.02772EPSS
Exploits0References22
Drupal
Drupal
added 2014/07/16 12:0 a.m.15 views

SA-CONTRIB-2014-070 - Password Policy - Access Bypass

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords. Access Bypass 7.x only Password Policy has a Password Change Tab submodule which provides a tab for a user to change their password. Password Policy also has a...

7.1AI score
Exploits0References13
Drupal
Drupal
added 2014/07/09 12:0 a.m.28 views

SA-CONTRIB-2014-069 - Logintoboggan - Access Bypass and Cross Site Scripting (XSS)

This module enables you to customise the standard Drupal registration and login processes. Cross Site Scripting The module doesn't filter user-supplied information from the URL resulting in a reflected Cross Site Scripting XSS vulnerability. Access Bypass The module introduces a concept of a...

4.3CVSS5.2AI score0.01066EPSS
Exploits0References13
Drupal
Drupal
added 2014/07/02 12:0 a.m.16 views

SA-CONTRIB-2014-068 - Pane - XSS

This module did not properly sanitize content entered for title. It allowed sufficiently privileged users to add arbitrary HTML which could result in XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks" or ability to ed...

6.1AI score
Exploits0References12
Drupal
Drupal
added 2014/07/02 12:0 a.m.26 views

SA-CONTRIB-2014-067 - Meta Tags Quick - Multiple vulnerabilities

Meta tags quick adds meta tags editing to all non-administrative pages of Drupal site. Redirector abuse in path-based meta tag editing form When editing a path-based meta tag, module does not check destination parameter of the URL, allowing attacker to pass arbitrary URL to meta tag editing form...

5.5CVSS5.9AI score0.01308EPSS
Exploits0References11
Drupal
Drupal
added 2014/07/02 12:0 a.m.21 views

SA-CONTRIB-2014-066 - Node Access Keys - Access Bypass

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. It was found that unpublished nodes of content types that that did not have an access key were visible to all. Also, If an unpublished node of a content type that was protected by ...

7AI score
Exploits0References12
Total number of security vulnerabilities1940