Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
•added 2014/02/12 12:0 a.m.•21 views

SA-CONTRIB-2014-016 - Mayo Theme - XSS Vulnerability

The theme settings allow you to link to a header background file. A URL could be entered that was not properly sanitized leading to XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers issued...

4CVSS5.7AI score0.0118EPSS
Exploits0References11
Drupal
Drupal
•added 2014/02/12 12:0 a.m.•12 views

SA-CONTRIB-2014-015 - FileField - Access Bypass

FileField module allows users to upload files with in conjunction with the Content Construction Kit CCK module in Drupal 6. The module doesn't sufficiently check permissions on revisions when determining if a user should have access to a particular file attached to that revision. A user could gai...

7.1AI score
Exploits0References12
Drupal
Drupal
•added 2014/02/12 12:0 a.m.•16 views

SA-CONTRIB-2014-019 - Easy Social - Cross Site Scripting (XSS)

This module enables you to add social sharing widgets to your content and pages. The module doesn't sufficiently validate block titles when a user creates a custom block from within the module's admin interface. This vulnerability is mitigated by the fact that an attacker must have a role with th...

3.5CVSS6.3AI score0.01046EPSS
Exploits0References10
Drupal
Drupal
•added 2014/02/12 12:0 a.m.•19 views

SA-CONTRIB-2014-018 - Webform - Cross Site Scripting (XSS)

The Webform module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site. The module doesn't sufficiently sanitize field label titles when two fields have the same formkey, which can only be managed by carefully crafting the webform...

3.5CVSS6.3AI score0.01095EPSS
Exploits0References14
Drupal
Drupal
•added 2014/02/05 12:0 a.m.•20 views

SA-CONTRIB-2014-012- Modal Frame API - Cross Site Scripting (XSS)

This module enables provides an API to render an iframe within a modal dialog based on the jQuery UI Dialog plugin. You should not install this module unless another module requires you to, or you wish to use it for your own custom modules. The module doesn't sufficiently filter user supplied tex...

4.3CVSS6.4AI score0.01792EPSS
Exploits0References9
Drupal
Drupal
•added 2014/02/05 12:0 a.m.•14 views

SA-CONTRIB-2014-009 - Tagadelic - Information Disclosure

This module provides an API and a few simple turnkey modules, which allows you to easily create tagclouds, weighted lists, search-clouds and such. The 6.x-1.x version does not account for node access modules, thus leading to information being disclosed. This vulnerability is mitigated by the fact...

6.7AI score
Exploits0References13
Drupal
Drupal
•added 2014/02/05 12:0 a.m.•15 views

SA-CONTRIB-2014-011 - Push Notifications - Information Disclosure

This module enables the delivery of push notifications to iOS and Android devices. The module doesn't sufficiently randomize the certificate filenames required for Apple's Push Notification service or protect the files from being publicly accessible, which could allow an attacker to acquire the...

6.7AI score
Exploits0References12
Drupal
Drupal
•added 2014/02/05 12:0 a.m.•10 views

SA-CONTRIB-2014-010 - Services - Access Bypass and Privilege Escalation

The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. User update access bypass vulnerability An authenticated user is able to assign additional roles to themselves, which means they can escalate their privileges by assigning an...

7AI score
Exploits0References14
Drupal
Drupal
•added 2014/01/29 12:0 a.m.•22 views

SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS)

A tribune is a type of chatroom. The module doesn't sufficiently filter user provided text from Tribune node titles. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node. CVE identifiers issued CVE-2014-8075 Versions affected...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References9
Drupal
Drupal
•added 2014/01/29 12:0 a.m.•19 views

SA-CONTRIB-2014-007 - Services - Multiple access bypass vulnerabilities

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. The form API provides a method for developers to submit forms programmatically using the function drupalformsubmit. During programmatic form submissions, all access checks are deliberately...

7.1AI score
Exploits0References16
Drupal
Drupal
•added 2014/01/22 12:0 a.m.•20 views

SA-CONTRIB-2014-003 - Doubleclick for Publishers DFP - Cross Site Scripting (XSS)

This module enables you to create blocks to place advertisements from the Google Double Click for Publishers API DFP. The module doesn't sufficiently sanitize the slot names prior to output into HTML. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...

3.5CVSS6.3AI score0.00946EPSS
Exploits0References10
Drupal
Drupal
•added 2014/01/22 12:0 a.m.•20 views

SA-CONTRIB-2014-006 - Language Switcher Dropdown - Open Redirect

The Language Switcher Dropdown module enables you to place a block with a convenient drop-down language switcher. After choosing a value the user is redirected to the url of the relevant language. The module doesn't check that the url provided is a valid internal path prior to redirecting. CVE...

5.8CVSS6.4AI score0.01191EPSS
Exploits0References10
Drupal
Drupal
•added 2014/01/22 12:0 a.m.•16 views

SA-CONTRIB-2014-004 - Secure Cookie Data - Faulty Hashing

This module allows for storing data securely in a cookie through implementing the Secure Cookie Protocol. Ability to alter trusted data in the cookie The module did an incorrect comparison of the HMAC value, allowing a bypass of the HMAC verification which allows changing the cookie value. Known...

7AI score
Exploits0References14
Drupal
Drupal
•added 2014/01/22 12:0 a.m.•14 views

SA-CONTRIB-2014-005 - Leaflet - Access bypass

The Leaflet module enables you to display an interactive map using the Leaflet library, using entities as map features. The module exposes complete data from entities used as map features to any site visitor with a Javascript inspector like Firebug. CVE identifiers issued ACVE identifier will be...

7AI score
Exploits0References13
Drupal
Drupal
•added 2014/01/15 12:0 a.m.•668 views

SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Impersonation OpenID module - Drupal 6 and 7 - Highly critical A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack...

7.5CVSS6.4AI score0.01526EPSS
Exploits0References19
Drupal
Drupal
•added 2014/01/15 12:0 a.m.•18 views

SA-CONTRIB-2014-002 - Anonymous Posting - Cross Site Scripting (XSS)

This module allows anonymous users to fill in their contact information name, email and homepage when posting any content type including Forum Topics. This allows the submitted name to be shown instead of the usual anonymous string provided by Drupal core. The module doesn't properly sanitize the...

4.3CVSS6.1AI score0.02177EPSS
Exploits0References10
Drupal
Drupal
•added 2014/01/08 12:0 a.m.•34 views

SA-CONTRIB-2014-001 - Entity API - Access Bypass

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. Comment, User and Node Statistics property access bypass CVE-2014-1398 The module's entity wrapper access API doesn't sufficiently protect comment, user and no...

6.5CVSS6.3AI score0.0149EPSS
Exploits0References14
Drupal
Drupal
•added 2013/12/18 12:0 a.m.•20 views

SA-CONTRIB-2013-098 - Ubercart - Session Fixation Vulnerability

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The module doesn't sufficiently protect against session fixation attacks when a user is automatically logged in to a newly created account during checkout. This vulnerability is mitigated by the fact that ...

6.8CVSS6.4AI score0.01346EPSS
Exploits0References12
Drupal
Drupal
•added 2013/12/04 12:0 a.m.•26 views

SA-CONTRIB-2013-097 - OG Features - Access bypass

This module enables you to enable and disable bundles of functionality for individual Organic groups. In order to provide this functionality, this module must override all menu callbacks available in the system, in order to delegate access based on the current Organic group you are contextually i...

5.8CVSS6.1AI score0.01218EPSS
Exploits0References12
Drupal
Drupal
•added 2013/11/20 12:0 a.m.•687 views

SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Multiple vulnerabilities due to optimistic cross-site request forgery protection Form API validation - Drupal 6 and 7 Drupal's form API has built-in cross-site request forgery CSRF validation, and also allows any...

6.8CVSS7.1AI score0.03072EPSS
Exploits0References28
Drupal
Drupal
•added 2013/11/20 12:0 a.m.•22 views

SA-CONTRIB-2013-094 - EU Cookie Compliance - Cross Site Scripting (XSS)

This module enables you to display notifications so that visitors can give their consent to setting cookies by your website. The module doesn't sufficiently fiter and validate configuration values entered by administrators. This vulnerability is mitigated by the fact that an attacker must have a...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References11
Drupal
Drupal
•added 2013/11/20 12:0 a.m.•19 views

SA-CONTRIB-2013-093 - Invitation - Access Bypass

The Invitation module restricts registration to users who have an invite code for running a private beta. The module provides default views that don't check access to views prior to displaying private information like usernames and email addresses. CVE identifiers issued CVE-2013-7063 Versions...

5CVSS6.3AI score0.01354EPSS
Exploits0References9
Drupal
Drupal
•added 2013/11/20 12:0 a.m.•16 views

SA-CONTRIB-2013-096 - Entity reference - Access bypass

By default, with an autoselect or a select widget, a user cannot autocomplete an entity title, nor can they select an entity that they have no access to. This will correctly throw a 'invalid id' error and does not show the title of the entity. However, if a user A that has access to the reference...

4.3CVSS6.1AI score0.01066EPSS
Exploits0References13
Drupal
Drupal
•added 2013/11/20 12:0 a.m.•25 views

SA-CONTRIB-2013-095 - Organic Groups - Access bypass

Two issues exist within entity references and permissions relating to OG, allowing users potential access bypass. Posting content into groups where a user is not a member Organic Groups does not sufficiently check the group audience fields e.g. oggroupref field from being populated with invalid...

5.8CVSS6AI score0.01218EPSS
Exploits0References13
Drupal
Drupal
•added 2013/11/13 12:0 a.m.•16 views

SA-CONTRIB-2013-090 - Revisioning - Access Bypass

This module enables you to create content publication workflows whereby one version of the content is "live" publicly visible, while another is being edited and moderated privately until found fit for publication. The module doesn't sufficiently apply node access permissions when used in...

4CVSS6.1AI score0.01082EPSS
Exploits0References10
Drupal
Drupal
•added 2013/11/13 12:0 a.m.•20 views

SA-CONTRIB-2013-092 - Misery - Denial of Service (DOS) vulnerability.

This module enables you to make life difficult for certain users, such as trolls, as an alternative to banning or deleting them from a community. The module provides means by which to punish members of your website. The aim of misery is to be not traceable by users on the misery list, so misery...

4.3CVSS6.3AI score0.01336EPSS
Exploits0References12
Drupal
Drupal
•added 2013/11/13 12:0 a.m.•23 views

SA-CONTRIB-2013-091 - Groups, Communities and Co (GCC) - Access Bypass

This module enables you to manage groups and assign content and users to groups. The module doesn't sufficiently check permissions to some of the configuration pages allowing unprivileged users to access the roles and permissions pages of the GCC module. CVE identifiers issued CVE-2013-4598...

5CVSS6.4AI score0.01888EPSS
Exploits0References10
Drupal
Drupal
•added 2013/11/06 12:0 a.m.•24 views

SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view access. CVE identifiers issued CVE-2013-4596...

5.8CVSS6.4AI score0.01218EPSS
Exploits0References9
Drupal
Drupal
•added 2013/11/06 12:0 a.m.•31 views

SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data

The Secure Pages module manages redirects between HTTP and HTTPS pages. A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a malicious user enticing a us...

4.3CVSS6.2AI score0.00965EPSS
Exploits0References10
Drupal
Drupal
•added 2013/11/06 12:0 a.m.•18 views

SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass

This module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users' payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that prevented th...

4.3CVSS6.5AI score0.01042EPSS
Exploits0References12
Drupal
Drupal
•added 2013/10/30 12:0 a.m.•23 views

SA-CONTRIB-2013-084 - FileField Sources - Access Bypass

This module expands on the FileField module by allowing you to select new or existing files through additional means, such as re-using files with an auto-complete textfield, attaching server-side files uploaded via FTP, transferring file files from a remote server, pasting a file directly from th...

4CVSS6.4AI score0.01094EPSS
Exploits0References10
Drupal
Drupal
•added 2013/10/30 12:0 a.m.•13 views

SA-CONTRIB-2013-083 - Quiz - Access Bypass

Access bypass on deleting quiz results The Quiz module provides tools for authoring and administering quizzes through Drupal. A quiz is given as a series of questions, with only one question appearing per page. Scores are then stored in the database. The module doesn't sufficiently check the dele...

5.8AI score
Exploits0References13
Drupal
Drupal
•added 2013/10/30 12:0 a.m.•20 views

SA-CONTRIB-2013-086 - Monster Menus - Access bypass

Monster Menus includes the ability to protect the visibility of comments for each node based on hierarchical permissions. However, a carefully-crafted URL could be used to bypass these permissions, allowing an anonymous user to view the comments associated with certain nodes. In order for this fl...

2.6CVSS6.2AI score0.01185EPSS
Exploits0References8
Drupal
Drupal
•added 2013/10/30 12:0 a.m.•24 views

SA-CONTRIB-2013-085 - Feed Element Mapper - Cross Site Scripting

Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags or the author name to taxonomy or CCK fields. The module doesn't sufficiently filter text when displaying options to users. This vulnerability is mitigated by the fact that an attacker must have a...

2.1CVSS6.4AI score0.00729EPSS
Exploits0References8
Drupal
Drupal
•added 2013/10/23 12:0 a.m.•17 views

SA-CONTRIB-2013-082 - Bean - Cross Site Scripting (XSS)

This module enables you to create block entities a.k.a. beans. The module did not sufficiently filter bean titles for dangerous html. This vulnerability is mitigated by the fact that an attacker must have permission to create or edit beans. CVE identifiers issued CVE-2013-4499 Versions affected...

4.3CVSS6.3AI score0.01148EPSS
Exploits0References9
Drupal
Drupal
•added 2013/10/23 12:0 a.m.•18 views

SA-CONTRIB-2013-081 - Spaces - Access bypass

This module enables you to make configuration options generally available only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces submodule, Spaces OG, doesn't properly handle deleting of organic group group spaces when the option to move t...

2.1CVSS6.2AI score0.00946EPSS
Exploits0References8
Drupal
Drupal
•added 2013/10/16 6:39 p.m.•6 views

SA-CONTRIB-2013-080 - Simplenews - Cross Site Scripting (XSS)

This module enables you to publish and send newsletters to lists of subscribers. The module also includes an API that other modules can use to register subscribers. The module doesn't sufficiently sanitize e-mail addresses prior to outputting. The provided forms sign-up, mass import, .. validate...

4.3CVSS5.5AI score0.02688EPSS
Exploits0References10
Drupal
Drupal
•added 2013/10/16 3:39 p.m.•7 views

SA-CONTRIB-2013-079 - Context - Multiple Vulnerabilities

Context allows you to manage contextual conditions and reactions for different portions of your site This advisory covers two separate issues. Arbitrary PHP Code Execution The first, and more severe issue Highly Critical status, is that the module allows execution of PHP code via manipulation of ...

6AI score
Exploits0References12
Drupal
Drupal
•added 2013/10/02 12:0 a.m.•23 views

SA-CONTRIB-2013-078 - Quick Tabs - Access Bypass

The Quick Tabs module allows you to create blocks of tabbed content, specifically views, blocks, nodes and other quicktabs. You can create a block on your site containing multiple tabs with corresponding content. The module does not sufficiently check block permissions before rendering a Quick Ta...

5CVSS6.2AI score0.01513EPSS
Exploits0References13
Drupal
Drupal
•added 2013/09/18 12:0 a.m.•20 views

SA-CONTRIB-2013-077 - Google Site Search - Cross Site Scripting (XSS)

This module enables you to use the Google API to search one or more sites and show the result in your Drupal site, with your custom styling. The module doesn't sufficiently sanitize the data retrieved from the Google API. This vulnerability is mitigated by the fact that an attack must come from t...

4.3CVSS6.3AI score0.01792EPSS
Exploits0References9
Drupal
Drupal
•added 2013/09/11 12:0 a.m.•19 views

SA-CONTRIB-2013-075 - Click2Sell - Multiple Vulnerabilities (XSS and CSRF)

Click2Sell is an Affiliate Marketing Network which lets you sell your products through their marketplace or on your website with buy it now buttons, and which also allows you to access hundreds of affiliates who want to sell your product for you and earn commission. Reflected Cross Site Scripting...

5.8AI score
Exploits0References7
Drupal
Drupal
•added 2013/09/11 12:0 a.m.•15 views

SA-CONTRIB-2013-074 - MediaFront - Cross Site Scripting (XSS)

The MediaFront module provides a front-end media presentation layer for Drupal The module doesn't sufficiently filter user input from MediaFront preset settings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mediafront" to exploit th...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References12
Drupal
Drupal
•added 2013/09/11 12:0 a.m.•26 views

SA-CONTRIB-2013-076 - jQuery Countdown - Cross Site Scripting (XSS)

This jQuery Countdown Module enables you to display a countdown block based upon date settings. The jQuery Countdown Module does not properly sanitize the settings, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability ...

2.1CVSS5.7AI score0.00931EPSS
Exploits0References10
Drupal
Drupal
•added 2013/09/04 12:0 a.m.•21 views

SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass

This module enables you to create polls accessible by an url with hash e.g. example.com/makemeeting/sn9028xh3398 so that anonymous users can view and vote on the poll. The module didn't sufficiently check access when a poll is accessed directly via its node url e.g. node/123. Note: a user with th...

6.4CVSS6.4AI score0.01358EPSS
Exploits0References9
Drupal
Drupal
•added 2013/08/28 12:0 a.m.•15 views

SA-CONTRIB-2013-071 - Flag - Cross Site Scripting

The Flag module allows creation of customizable flags on entities. Flag does not properly sanitize the name of a flag on the main flag administration page, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS vulnerability. This vulnerability is...

5.6AI score
Exploits0References9
Drupal
Drupal
•added 2013/08/28 12:0 a.m.•16 views

SA-CONTRIB-2013-072 - Node View Permissions - Access Bypass

The Node View Permissions module adds permissions "View own content" and "View any content" for each content type on the permissions page. However, it only implements hooknodeaccess and not hookqueryalter, which means any listing of nodes does not respect the node view permission. CVE identifiers...

6.5AI score
Exploits0References10
Drupal
Drupal
•added 2013/08/21 12:0 a.m.•19 views

SA-CONTRIB-2013-070 - Zen - Cross Site Scripting

The Zen theme is a very popular base/starter theme. Zen doesn't sufficiently escape the breadcrumb separator field, allowing a possible XSS exploit. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifiers issued...

5.4CVSS5.3AI score0.01037EPSS
Exploits1References10
Drupal
Drupal
•added 2013/08/14 12:0 a.m.•20 views

SA-CONTRIB-2013-067 - BOTCHA - Information Disclosure (potential Privilege Escalation)

BOTCHA is a highly configurable non-CAPTCHA spam protection framework. The module includes a debug mode which logs the content of submitted forms including passwords and other sensitive information. An attacker who gains access to the log i.e. dblog or syslog depending on configuration could get...

4.3CVSS6.3AI score0.01031EPSS
Exploits0References12
Drupal
Drupal
•added 2013/08/14 12:0 a.m.•18 views

SA-CONTRIB-2013-068 - Entity API - Access Bypass

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties. The module doesn't sufficiently enforce node access restrictions when checking for a user's access to view a comment associated with a particular node. The...

4CVSS6.2AI score0.01082EPSS
Exploits0References15
Drupal
Drupal
•added 2013/08/14 12:0 a.m.•19 views

SA-CONTRIB-2013-069 - Password Policy - XSS

This module enables you to specify a certain level of password complexity aka. "password hardening" for user passwords in Drupal by defining a password policy. When viewing and editing a password policy, the module doesn't sufficiently filter the form text field input and display for the "Passwor...

2.1CVSS6.5AI score0.00973EPSS
Exploits1References9
Total number of security vulnerabilities1940