SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view access. CVE identifiers issued CVE-2013-4596...

SA-CONTRIB-2013-083 - Quiz - Access Bypass

Access bypass on deleting quiz results The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module doesn't sufficiently check the dele...

SA-CONTRIB-2013-085 - Feed Element Mapper - Cross Site Scripting

Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. The module doesn't sufficiently filter text when displaying options to users. This vulnerability is mitigated by the fact that an attacker must have a...

SA-CONTRIB-2013-084 - FileField Sources - Access Bypass

This module expands on the FileField module by allowing you to select new or existing files through additional means, such as re-using files with an auto-complete textfield, attaching server-side files uploaded via FTP, transferring file files from a remote server, pasting a file directly from th...

SA-CONTRIB-2013-086 - Monster Menus - Access bypass

Monster Menus includes the ability to protect the visibility of comments for each node based on hierarchical permissions. However, a carefully-crafted URL could be used to bypass these permissions, allowing an anonymous user to view the comments associated with certain nodes. In order for this fl...

SA-CONTRIB-2013-082 - Bean - Cross Site Scripting (XSS)

This module enables you to create block entities a.k.a. beans. The module did not sufficiently filter bean titles for dangerous html. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit beans. CVE identifiers issued CVE-2013-4499 Versions affected...

SA-CONTRIB-2013-081 - Spaces - Access bypass

This module enables you to make configuration options generally available only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces submodule, Spaces OG, doesn't properly handle deleting of organic group group spaces when the option to move t...

SA-CONTRIB-2013-080 - Simplenews - Cross Site Scripting (XSS)

This module enables you to publish and send newsletters to lists of subscribers. The module also includes an API that other modules can use to register subscribers. The module doesn't sufficiently sanitize e-mail addresses prior to outputting. The provided forms sign-up, mass import, .. validate...

SA-CONTRIB-2013-079 - Context - Multiple Vulnerabilities

Context allows you to manage contextual conditions and reactions for different portions of your site This advisory covers two separate issues. Arbitrary PHP Code Execution The first, and more severe issue Highly Critical status, is that the module allows execution of PHP code via manipulation of ...

SA-CONTRIB-2013-078 - Quick Tabs - Access Bypass

The Quick Tabs module allows you to create blocks of tabbed content, specifically views, blocks, nodes and other quicktabs. You can create a block on your site containing multiple tabs with corresponding content. The module does not sufficiently check block permissions before rendering a Quick Ta...

SA-CONTRIB-2013-077 - Google Site Search - Cross Site Scripting (XSS)

This module enables you to use the Google API to search one or more sites and show the result in your Drupal site, with your custom styling. The module doesn't sufficiently sanitize the data retrieved from the Google API. This vulnerability is mitigated by the fact that an attack must come from t...

SA-CONTRIB-2013-075 - Click2Sell - Multiple Vulnerabilities (XSS and CSRF)

Click2Sell is an Affiliate Marketing Network which lets you sell your products through their marketplace or on your website with buy it now buttons, and which also allows you to access hundreds of affiliates who want to sell your product for you and earn commission. Reflected Cross Site Scripting...

SA-CONTRIB-2013-074 - MediaFront - Cross Site Scripting (XSS)

The MediaFront module provides a front-end media presentation layer for Drupal The module doesn't sufficiently filter user input from MediaFront preset settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mediafront" to exploit th...

SA-CONTRIB-2013-076 - jQuery Countdown - Cross Site Scripting (XSS)

This jQuery Countdown Module enables you to display a countdown block based upon date settings. The jQuery Countdown Module does not properly sanitize the settings, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability ...

SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass

This module enables you to create polls accessible by an url with hash e.g. example.com/makemeeting/sn9028xh3398 so that anonymous users can view and vote on the poll. The module didn't sufficiently check access when a poll is accessed directly via its node url e.g. node/123. Note: a user with th...

SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass

The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view permission. CVE identifiers...

SA-CONTRIB-2013-071 - Flag - Cross Site Scripting

The Flag module allows creation of customizable flags on entities. Flag does not properly sanitize the name of a flag on the main flag administration page, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability is...

SA-CONTRIB-2013-070 - Zen - Cross Site Scripting

The Zen theme is a very popular base/starter theme. Zen doesn't sufficiently escape the breadcrumb separator field, allowing a possible XSS exploit. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers issued...

SA-CONTRIB-2013-067 - BOTCHA - Information Disclosure (potential Privilege Escalation)

BOTCHA is a highly configurable non-CAPTCHA spam protection framework. The module includes a debug mode which logs the content of submitted forms including passwords and other sensitive information. An attacker who gains access to the log i.e. dblog or syslog depending on configuration could get...

SA-CONTRIB-2013-068 - Entity API - Access Bypass

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently enforce node access restrictions when checking for a user's access to view a comment associated with a particular node. The...

SA-CONTRIB-2013-069 - Password Policy - XSS

This module enables you to specify a certain level of password complexity aka. "password hardening" for user passwords in Drupal by defining a password policy. When viewing and editing a password policy, the module doesn't sufficiently filter the form text field input and display for the "Passwor...

SA-CONTRIB-2013-064 - Persona - Cross site request forgery (CSRF)

This module enables users to sign into a Drupal website using Mozilla Persona. The module uses a security token to ensure that a sign-in request is made from a web page that is participating in the current session. It was possible for a security token that was not of type "string" to be accepted ...

SA-CONTRIB-2013-062 - RESTful Web Services (RESTWS) - Access Bypass

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently check for field level access when preforming entity write operations on POST and PUT requests. It also do...

SA-CONTRIB-2013-065 - Organic Groups - Access Bypass

This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module allows any authenticated user to guess the node ID of private groups, and subscribe to them without...

SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure

This module enables page caching for authenticated users. A separate version of each cacheable page is stored for each group of users with the same combination of roles. Users having the exact same role-combination like the superuser uid=1 might access cached pages generated with the superuser...

SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities

Monster Menus enables you to create granular page permissions, and apply them to a hierarchical page structure. The mmwebform submodule enables you to assign permissions derived from Monster Menus to webform forms. The module doesn't sufficiently filter titles entered into page settings and echoe...

SA-CONTRIB-2013-061 - Flippy - Access Bypass

This module enables you to generate previous/next links for content types. The module doesn't sufficiently enforce node access when generating previous/next links. A user may be presented with a link including alias if one is set but will not be able to view the node content. This vulnerability i...

SA-CONTRIB-2013-060 - Scald - Cross Site Scripting (XSS)

This module enables you to handle media assets atoms in Drupal with a Views-based library, drag and drop interface and manage content attribution/licensing/distribution. The module doesn't sufficiently filter atom properties such as the atom title when outputting atoms, thereby exposing a Cross...

SA-CONTRIB-2013-059 - Hostmaster (Aegir) - Access Bypass

This install profile and accompanying suite of modules enables you to install, upgrade, deploy, and backup Drupal sites among other things. The module doesn't sufficiently control access to running tasks on sites, under the scenario where a user successfully guesses a sites' path in the Aegir...

SA-CONTRIB-2013-058 - MRBS - Abandoned - Mutliple vulnerabilities

MRBS is a free, GPL, web application using PHP and MySQL/pgsql for booking meeting rooms or other resources. The module doesn't sufficiently filter user supplied data when creating queries which leads to a SQL injection vulnerability. CVE identifiers issued ACVE identifier will be requested, and...

SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)

TinyBox module uses TinyBox, a lightweight and standalone modal window script. The main purpose of this module is to provide Splash Screen/Window as simple as possible. The module doesn't filter user-supplied text prior to display. The vulnerability is mitigated by the fact that an attacker must...

SA-CONTRIB-2013-055 - Hatch - Cross Site Scripting

Hatch theme is a simple and minimal portfolio theme for photographers, illustrators, designers, or photobloggers. The theme didn't sufficiently escape user supplied text prior to printing them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service

This module saves time and disk space by sending requests to your development environment's files directory to the production environment and making a copy of the production file in your development site. An attacker could make repeated requests to the server, even over a long period, which would...

SA-CONTRIB-2013-054 - Fast Permissions Administration - Access Bypass

The Fast Permissions Administration module enables you to use inline filters on the permissions page, as well as loading the permissions form through a modal dialog. The module doesn't sufficiently check user access for the modal content callback, allowing unauthorized access to the permissions...

SA-CONTRIB-2013-053 - Login Security - Multiple Vulnerabilities

Login Security module adds additional access controls to the login form of Drupal. When Login Security is configured to use the delay feature, frequent or concurrent failed attempts to login can consume all the web serving processes, causing a denial of service. It is possible to bypass Login...

SA-CONTRIB-2013-052 - Display Suite - Cross Site Scripting (XSS)

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize entity bundle labels, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

SA-CONTRIB-2013-051 - Services - Cross site request forgery (CSRF)

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. The module doesn't sufficiently verify writing requests POST, PUT, DELETE with session cookie authentication, thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

SA-CONTRIB-2013-048 - Edit Limit - Access Bypass

Edit Limit enables you to set time and count-based limits on how and when a user can edit nodes or comments. The module doesn't sufficiently check user access when editing comments to see if the user has the necessary permissions to edit a comment outside of the limits applied by this module. Thi...

SA-CONTRIB-2013-049 - Node access user reference - Access Bypass

This module allows different access permissions to be given to authors, referenced users and non-referenced users. When an author has created content containing a user reference field with author update/delete grants enabled and the author's user account is later deleted, content created by them...

SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS)

The Webform module allows the creation of custom webforms and surveys. Webform module does not sanitize the labels of created components fields when displaying a list of components to be used in e-mails or downloaded CSV files. This vulnerability is mitigated by the fact that an attacker must hav...

SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass

This module will allow you to add Time-based One-time Password Algorithm also called "Two Step Authentication" or "Multi-Factor Authentication" support to user logins. It works with Google's Authenticator app system and support most if not all OATH based HOTP/TOTP systems. Accidental removal of...

SA-CONTRIB-2013-046 - Filebrowser - Reflected Cross Site Scripting (XSS)

Filebrowser module allows site administrators to expose a particular file system folder and all of its subfolders with an FTP-like interface to site visitors. The module doesn't sufficiently sanitize user input when presenting lists of files. Because the vulnerability is Reflected Cross Site...

SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)

This module enables you to easily enable a Flash MP3 Player on a CCK FileField. The module doesn't sufficiently filter user-supplied text from mp3 filenames. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield wi...

SA-CONTRIB-2013-045 - Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) - Access bypass

Autocomplete Widgets module adds autocomplete widgets for Text and Number fields. The autocomplete callback implemented by this module does not honor node permissions to access existing fields, allowing users to see field values even though they are not authorized to access that information. This...

SA-CONTRIB-2013-044 - elFinder file manager - Cross Site Request Forgery (CSRF)

The elfinder module provides an AJAX-based file manager based on the elFinder javascript library. The module doesn't sufficiently verify requests thereby exposing a Cross Site Request Forgery CSRF vulnerability. This would enable an attacker to create, modify, or delete files on the server. There...

SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module interferes with Drupal's page cache and allows an attacker to poison the cache with non-HTML page responses, thereby exposing ...

SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass

This module integrates the Skrill online payment services with Drupal Commerce. When processing Instant payment notifications IPN, the "Moneybookers enterprise" payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forg...

SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass

This CTools module provides a set of APIs and tools to improve the developer experience. The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the "access content" permission to see the titles of nodes which they shou...

SA-CONTRIB-2013-036 - Zero Point - Cross Site Scripting (XSS)

Zero Point is a theme which includes many options, ideal for a wide range of sites. The theme does not escape user supplied text which creates a reflected Cross site scripting XSS vulnerability in URLs. There are no mitigating factors. CVE identifiers issued CVE-2013-1905 Versions affected...

SA-CONTRIB-2013-038 - Commons Groups - Access bypass & Privilege escalation

The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Groups module is used by the distribution to provide specific Organic Groups customizations. Versions 3.0 and earlier of the Commons Groups module is vulnerable to an access bypass an...