Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2014/06/18 12:0 a.m.28 views

SA-CONTRIB-2014-061 - VideoWhisper Webcam Plugins - Cross Site Scripting (XSS) - Unsupported

Includes multiple modules for video communications including room listing, pay per view access control. The module doesn't sufficiently filter user supplied text from the url reflected cross site scripting. No special permissions are required to exploit this issue. There are no mitigating factors...

4.3CVSS6.5AI score0.01158EPSS
Exploits1References10
Drupal
Drupal
added 2014/06/18 12:0 a.m.16 views

SA-CONTRIB-2014-063 - Easy Breadcrumb - Cross Site Scripting (XSS)

The Easy Breadcrumb module generates breadcrumbs from path aliases. This module does not properly sanitize user-supplied values creating a Cross Site Scripting XSS vulnerability. CVE identifiers issued CVE-2014-4505 Versions affected Easy breadcrumbs 7.x-2.x versions prior to 7.x-2.10. Drupal cor...

4.3CVSS5.7AI score0.01161EPSS
Exploits0References12
Drupal
Drupal
added 2014/06/18 12:0 a.m.23 views

SA-CONTRIB-2014-065 - Custom Meta - Cross Site Scripting (XSS)

The module allows you to define and manage custom meta tags. The module does not sufficiently sanitize user input before displaying the attribute and content values for meta tags on the administration page. This vulnerability is mitigated by the fact that an attacker must have access to an accoun...

2.1CVSS6.4AI score0.00941EPSS
Exploits0References12
Drupal
Drupal
added 2014/06/18 12:0 a.m.9 views

SA-CONTRIB-2014-064 -Course - Access bypass

This module enables you to create e-learning courses with any number of requirements for completion. A "Course object" is a relationship entity between a Course and a learning object, such as a Node. The module doesn't sufficiently check access on Course object edit forms. The configuration optio...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2014/06/18 12:0 a.m.12 views

SA-CONTRIB-2014-062 -Passsword Policy - Multiple vulnerabilities

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords. Access bypass and information disclosure 7.x only The module has a history constraint, which when enabled, disallows a user's password from being changed to match a...

6.8AI score
Exploits0References14
Drupal
Drupal
added 2014/06/11 12:0 a.m.15 views

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

Touch Theme is a light weight theme with modern look and feel. The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers...

2.1CVSS6.4AI score0.01264EPSS
Exploits0References10
Drupal
Drupal
added 2014/06/11 12:0 a.m.12 views

SA-CONTRIB-2014-060- Petitions - Cross Site Request Forgery (CSRF)

This distribution enables you to build an application that lets users create and sign petitions. The contained whpetitions module doesn't sufficiently verify the intent of the user when signing a petition. A malicious user could trick another user into signing a petition they did not intend to si...

7AI score
Exploits0References12
Drupal
Drupal
added 2014/05/28 12:0 a.m.16 views

SA-CONTRIB-2014-058 - Webserver Auth - Access Bypass

This module allows you to delegate user authentication to the web server. The module can be configured to automatically create users that have been authenticated by the web server. There was an issue where a configuration variable did not have consistent default values in the code meaning that in...

7.3AI score
Exploits0References12
Drupal
Drupal
added 2014/05/21 12:0 a.m.15 views

SA-CONTRIB-2014-054 - Views - Access Bypass

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module doesn't sufficiently check handler access when returning the list of handlers from viewplugindisplay::gethandlers. The...

7.2AI score
Exploits0References11
Drupal
Drupal
added 2014/05/21 12:0 a.m.12 views

SA-CONTRIB-2014-055 - Require Login - Access bypass

This module enables you to restrict access to a site for all non-authenticated users. The module does not protect the front page, thereby exposing any sensitive information on the front page to anonymous users. This vulnerability is mitigated by the fact that private/sensitive information must be...

6.6AI score
Exploits0References12
Drupal
Drupal
added 2014/05/21 12:0 a.m.13 views

SA-CONTRIB-2014-057 - Password policy - General logic error

This module enables you to define password policies with various constraints on allowable user passwords. The history constraint, when enabled, disallows a user's password from being changed to match a specified number of their previous passwords. Beginning with Password Policy 7.x-1.4, the histo...

7.2AI score
Exploits0References12
Drupal
Drupal
added 2014/05/21 12:0 a.m.13 views

SA-CONTRIB-2014-056 - Commerce Moneris - Information Disclosure

Commerce Moneris is a payment module that integrates the Moneris payment system with Drupal Commerce. The module stores credit card data in a commerce order object unnecessarily for the purpose of passing the credit card information to the payment gateway. The credit card information is never...

7.2AI score
Exploits0References13
Drupal
Drupal
added 2014/05/14 12:0 a.m.18 views

SA-CONTRIB-2014-052 - AddressField Tokens - Cross Site Scripting (XSS)

The AddressField Tokens module extends the addressfield module by adding token support. It also adds some convenient addressfield formatters and provides Webform addressfield integration. The module does not properly filter address field values, resulting in a Cross Site Scripting XSS vulnerabili...

3.5CVSS5.4AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/05/14 12:0 a.m.13 views

SA-CONTRIB-2014-053 - Field API Tab Editor (FATE) - Access bypass

This module allows each entity field to be individually edited via its own custom page, accessible via a tab on the entity's page. The module returns an incorrect value to hookmenu if the current user does not have access to edit the entity. This allows users who would not normally have access to...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2014/05/14 12:0 a.m.17 views

SA-CONTRIB-2014-050 - Commerce Postfinance ePayment - Access Bypass

The Commerce Postfinance ePayment module provides commerce payment methods for the Postfinance e-Payment service provider. The module doesn't sufficiently validate incoming payment notification IPN messages. Sending a specifically crafted IPN message to an affected site allows an attacker to crea...

6.9AI score
Exploits0References12
Drupal
Drupal
added 2014/05/14 12:0 a.m.16 views

SA-CONTRIB-2014-051 - Realname Registration - Information Disclosure

This module enables you to generate usernames based on fields filled out by the user during registration. The module doesn't sufficiently restrict access to the settings for determining which user fields are incorporated into usernames, and doesn't properly validate generated user names. Any user...

7AI score
Exploits0References11
Drupal
Drupal
added 2014/05/07 12:0 a.m.13 views

SA-CONTRIB-2014-049 - Organic Groups (OG) - Access Bypass

Organic groups OG enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. OG doesn't sufficiently check the permissions when a group member is pending or blocked status within the gro...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2014/04/30 12:0 a.m.26 views

SA-CONTRIB-2014-046 - Context Form Alteration - Cross Site Scripting (XSS)

The Context Form Alteration module enables admins to alter forms via Context reactions. The module doesn't sufficiently sanitize user input entered within the Context configuration UI. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
added 2014/04/30 12:0 a.m.24 views

SA-CONTRIB-2014-047 - Zen - Cross Site Scripting

The Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design. The theme does not properly sanitize theme settings before they are used in the output of a page. Themes that have copied code from Zen's template.php may suffer from this same issue. If you...

3.5CVSS5.8AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
added 2014/04/30 12:0 a.m.11 views

SA-CONTRIB-2014-048 - Field API Pane Editor (FAPE) - Access bypass

This module adds a contextual menu to fields which are added to an entity display in Panels, allowing individual fields to be directly edited via a separate page or, if it is enabled, the Overlay module. The module doesn't sufficiently verify the user has access to modify the entity the field is...

6.1AI score
Exploits0References13
Drupal
Drupal
added 2014/04/23 12:0 a.m.25 views

SA-CONTRIB-2014-044 - Professional Theme - Cross Site Scripting (XSS)

Professional Theme is a modern and professional Drupal theme. The theme does not sufficiently sanitize theme settings input for custom copyright information This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer themes". CVE identifiers issue...

3.5CVSS6.4AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/04/23 12:0 a.m.17 views

SA-CONTRIB-2014-042 - Internationalization - Access Bypass

This module enables you to build multilingual Drupal sites providing missing translation features for Drupal core. The module doesn't sufficiently check content access permissions and under certain circumstances allows users with the "access content" permission to see path aliases from unpublishe...

7AI score
Exploits0References11
Drupal
Drupal
added 2014/04/23 12:0 a.m.19 views

SA-CONTRIB-2014-043 - Custom Search - Cross Site Scripting (XSS)

The Custom Search module alters the default search box to provide some options like in advanced search, but directly in the search box. The module doesn't sanitize taxonomy vocabulary labels before display leading to a persistent cross site scripting XSS vulnerability. This vulnerability is...

3.5CVSS5.5AI score0.01046EPSS
Exploits0References11
Drupal
Drupal
added 2014/04/23 12:0 a.m.14 views

SA-CONTRIB-2014-045 - Drupal Commons - Multiple Vulnerabilities

This SA contains two patches against Drupal Commons Views Bulk Operations Access Bypass Drupal commons comes with a view to moderate reported content, which is intended for authenticated users to view which content has been reported. Since it has hard coded VBO operations within the view, and...

6.8AI score
Exploits0References15
Drupal
Drupal
added 2014/04/16 12:0 a.m.638 views

SA-CORE-2014-002 - Drupal core - Information Disclosure

Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server. When pages are cached for...

5CVSS6.2AI score0.01568EPSS
Exploits0References21
Drupal
Drupal
added 2014/04/16 12:0 a.m.15 views

SA-CONTRIB-2014-041 - Block Search - SQL Injection

Block Search module provides an alternative way of managing blocks. The module doesn't properly use Drupal's database API resulting in user-provided strings being passed directly to the database allowing SQL Injection. This vulnerability is mitigated by the fact that an attacker must either use a...

7.8AI score
Exploits0References9
Drupal
Drupal
added 2014/04/09 12:0 a.m.10 views

SA-CONTRIB-2014-039 - Revisioning - Access Bypass

This module enables you to manage publication workflows whereby new, not publicly visible revisions of existing published content may be created by an author for review, while the current revision remains live to the public. The new revision does not go live until it is approved by a moderator wi...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2014/04/09 12:0 a.m.11 views

SA-CONTRIB-2014-040 - Skeleton theme - Cross Site Scripting

The Skeleton theme is a responsive Drupal theme, built upon the Skeleton Boilerplate. The Skeleton theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

7.1AI score
Exploits0References11
Drupal
Drupal
added 2014/04/09 12:0 a.m.26 views

SA-CONTRIB-2014-038 - SimpleCorp theme - Cross Site Scripting

SimpleCorp theme is a free responsive Drupal theme. The SimpleCorp theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers...

3.5CVSS6.4AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/04/09 12:0 a.m.31 views

SA-CONTRIB-2014-037 - BlueMasters - Cross Site Scripting

Bluemasters is a responsive layout theme for Drupal 7. The Bluemasters theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifie...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References11
Drupal
Drupal
added 2014/04/02 12:0 a.m.23 views

SA-CONTRIB-2014-034 - Custom Search - Cross Site Scripting

The Custom Search module alters the default search box to provide additional search filtering options and control. Custom Search contains a persistent cross-site scripting XSS vulnerability due to the fact that it fails to sanitize filter labels before display. This vulnerability is mitigated by...

3.5CVSS5.5AI score0.00946EPSS
Exploits0References13
Drupal
Drupal
added 2014/04/02 12:0 a.m.15 views

SA-CONTRIB-2014-035 - CAS Server - Access Bypass

The casserver module of the CAS project implements the CAS 1.0 and 2.0 specifications for providing a single sign-on to relying party web application the "service" in CAS specs. The CAS server creates single-use tickets when serving a user's login request, which is subsequently deleted when the...

7AI score
Exploits0References13
Drupal
Drupal
added 2014/04/02 12:0 a.m.21 views

SA-CONTRIB-2014-036 - Print - Cross Site Scripting

This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module does not sufficiently sanitize user provided input when generating the printed version of a node. This is mitigated by the fact that an attacker must have permission to create a node...

3.5CVSS6.4AI score0.01046EPSS
Exploits0References11
Drupal
Drupal
added 2014/03/19 12:0 a.m.16 views

SA-CONTRIB-2014-032 - Xapian integration - Access Bypass

This module enables you to use Xapian system to do searches of a Xapian index from within drupal. The module doesn't verify node access rights when a node is loaded for display after the search happened in Xapian. This vulnerability is mitigated by the fact that the system must be using a node...

7.1AI score
Exploits0References10
Drupal
Drupal
added 2014/03/19 12:0 a.m.16 views

SA-CONTRIB-2014-033 - Nivo Slider - Cross Site Scripting

Nivo Slider provides a way to showcase featured content. Nivo Slider gives administrators a simple method of adding slides to the slideshow, an administration interface to configure slideshow settings, and simple slider positioning using the Drupal block system. The module doesn't sufficiently...

3.5CVSS6.4AI score0.01417EPSS
Exploits0References13
Drupal
Drupal
added 2014/03/12 12:0 a.m.14 views

SA-CONTRIB-2014-030 - SexyBookmarks - Information Disclosure

The SexyBookmarks module is a port of the WordPress SexyBookmarks plug-in. The module adds social bookmarking using the Shareaholic service. The module discloses the private files location when Drupal 6 is configured to use private files. This vulnerability is mitigated by the fact that only site...

7.1AI score
Exploits0References12
Drupal
Drupal
added 2014/03/12 12:0 a.m.18 views

SA-CONTRIB-2014-031 - Webform Template - Access Bypass

This module enables you to copy webform config from one node to another. The module doesn't respect node access when providing possible nodes to copy from. As a result, a user may be disclosed the titles of nodes he does not have view access to and as such he may be able to copy the webform...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2014/03/05 12:0 a.m.24 views

SA-CONTRIB-2014-029 - Mime Mail - Access Bypass

The MIME Mail module allows to send MIME-encoded e-mail messages with embedded images and attachments. By default the module only allows files to be embedded or attached that are located in the public files directory. The module doesn't sufficiently check the file location, considering similar...

7.3AI score
Exploits0References11
Drupal
Drupal
added 2014/03/05 12:0 a.m.30 views

SA-CONTRIB-2014-027 - NewsFlash Theme - XSS

Newsflash is a theme that features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, built-in IE transparent PNG fix, and lots more. The theme does not sanitize the user provided theme setting for the font family CSS property, thereby exposing a cross-site scripting...

3.5CVSS5.6AI score0.01046EPSS
Exploits0References10
Drupal
Drupal
added 2014/03/05 12:0 a.m.11 views

SA-CONTRIB-2014-028 - Masquerade - Access bypass

This module allows a user with the right permissions to switch users. When a user has been limited to only masquerading as certain users via the "Enter the users this user is able to masquerade as" user profile field, they can still masquerade as any user on the site by using the "Enter the...

6.9AI score
Exploits0References11
Drupal
Drupal
added 2014/02/26 12:0 a.m.23 views

SA-CONTRIB-2014-023 - Project Issue File Review - XSS

The Project Issue File Review PIFR module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development. Two scenarios were identified where the module does not sufficiently sanitize...

4.3CVSS6.3AI score0.01161EPSS
Exploits0References11
Drupal
Drupal
added 2014/02/26 12:0 a.m.13 views

SA-CONTRIB-2014-024 - Content Lock - CSRF

This module prevents people from editing the same content at the same time. It adds a locking layer to nodes. It does not protect from CSRF. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected All...

7AI score
Exploits0References9
Drupal
Drupal
added 2014/02/26 12:0 a.m.17 views

SA-CONTRIB-2014-025 - Open Omega - Access Bypass

This theme is a sub theme of omega used as as a sample theme for the open Public Distribution. The theme doesn't sufficiently check the users menu access when building the header and footer menus, so that it can expose the title and path of restricted items in the menu. This vulnerability is...

7AI score
Exploits0References12
Drupal
Drupal
added 2014/02/26 12:0 a.m.19 views

SA-CONTRIB-2014-026 - Mime Mail - Access bypass

The MIME Mail module allows processing of incoming MIME-encoded e-mail messages with embedded images and attachments. The default key for the authentication of incoming messages is generated from a random number. On some platforms such as Windows the maximum value of this number is only 32767 whi...

7.3AI score
Exploits0References13
Drupal
Drupal
added 2014/02/22 12:0 a.m.12 views

SA-CONTRIB-2014-022 - Slickgrid - Access bypass

The Slickgrid module is an implementation of the jQuery slickgrid plugin, a lightening fast JavaScript grid/spreadsheet. It defines a slickgrid view style, so all data can be output as an editable grid. The module doesn't check access sufficiently, allowing users to edit and change field values o...

7AI score
Exploits0References14
Drupal
Drupal
added 2014/02/19 12:0 a.m.18 views

SA-CONTRIB-2014-021 - Maestro - Cross Site Scripting (XSS)

The Maestro module enables you to create complex workflows, automating business processes. The module doesn't sufficiently filter Role or Organic Group names when displaying them in the workflow details. This vulnerability is mitigated by the fact that an attacker must have a role with the...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References12
Drupal
Drupal
added 2014/02/12 12:0 a.m.10 views

SA-CONTRIB-2014-014 - Webform Validation - Cross Site Scripting (XSS)

The Webform Validation module enables you to add additional form validation rules to Webforms created by the Webform module. The module doesn't sufficiently filter component name text before display, opening up the possibility of cross site scripting. This vulnerability is mitigated by the fact...

6.4AI score
Exploits0References11
Drupal
Drupal
added 2014/02/12 12:0 a.m.17 views

SA-CONTRIB-2014-013- Chaos tool suite (ctools) - Access Bypass

This module provides content editors with an autocomplete callback for entity titles, as well as an ability to embed content within the Chaos tool suite ctools framework. Prior to this version, ctools did not sufficiently check access grants for various types of content other than nodes. It also...

7.3AI score
Exploits0References15
Drupal
Drupal
added 2014/02/12 12:0 a.m.20 views

SA-CONTRIB-2014-020 - Drupal Commons - Cross Site Scripting (XSS)

Drupal Commons is a ready-to-use solution for building either internal or external communities. It provides a complete social business software solution for organizations. Drupal Commons displays an "activity stream" containing messages about actions users take on the site. In some cases, message...

4.3CVSS6AI score0.01284EPSS
Exploits0References12
Drupal
Drupal
added 2014/02/12 12:0 a.m.11 views

SA-CONTRIB-2014-017- Image Resize Filter - Denial of Service (DOS)

This module enables you to resize images based on the HTML contents of a post. Images with specified height and width properties that differ from the original image result in a resized image being created. The module doesn't limit the number of resized images per post or user, which could allow a...

6.8AI score
Exploits0References11
Total number of security vulnerabilities1940