Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2013/08/07 12:0 a.m.25 views

SA-CONTRIB-2013-066 - Monster Menus - Multiple Vulnerabilities

Monster Menus enables you to create granular page permissions, and apply them to a hierarchical page structure. The mmwebform submodule enables you to assign permissions derived from Monster Menus to webform forms. The module doesn't sufficiently filter titles entered into page settings and echoe...

2.1CVSS5.7AI score0.01099EPSS
Exploits1References9
Drupal
Drupal
added 2013/08/07 12:0 a.m.26 views

SA-CONTRIB-2013-064 - Persona - Cross site request forgery (CSRF)

This module enables users to sign into a Drupal website using Mozilla Persona. The module uses a security token to ensure that a sign-in request is made from a web page that is participating in the current session. It was possible for a security token that was not of type "string" to be accepted ...

8.8CVSS8.6AI score0.00761EPSS
Exploits0References10
Drupal
Drupal
added 2013/08/07 12:0 a.m.26 views

SA-CONTRIB-2013-065 - Organic Groups - Access Bypass

This module enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module allows any authenticated user to guess the node ID of private groups, and subscribe to them without...

4.3CVSS4.5AI score0.01157EPSS
Exploits0References11
Drupal
Drupal
added 2013/08/07 12:0 a.m.21 views

SA-CONTRIB-2013-063 - Authenticated User Page Caching (Authcache) - Information Disclosure

This module enables page caching for authenticated users. A separate version of each cacheable page is stored for each group of users with the same combination of roles. Users having the exact same role-combination like the superuser uid=1 might access cached pages generated with the superuser...

6.5CVSS6.3AI score0.01626EPSS
Exploits0References9
Drupal
Drupal
added 2013/08/07 12:0 a.m.27 views

SA-CONTRIB-2013-062 - RESTful Web Services (RESTWS) - Access Bypass

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently check for field level access when preforming entity write operations on POST and PUT requests. It also do...

8.8CVSS8.8AI score0.02054EPSS
Exploits0References9
Drupal
Drupal
added 2013/07/31 12:0 a.m.24 views

SA-CONTRIB-2013-061 - Flippy - Access Bypass

This module enables you to generate previous/next links for content types. The module doesn't sufficiently enforce node access when generating previous/next links. A user may be presented with a link including alias if one is set but will not be able to view the node content. This vulnerability i...

6.5CVSS6.2AI score0.01451EPSS
Exploits0References10
Drupal
Drupal
added 2013/07/24 12:0 a.m.34 views

SA-CONTRIB-2013-060 - Scald - Cross Site Scripting (XSS)

This module enables you to handle media assets atoms in Drupal with a Views-based library, drag and drop interface and manage content attribution/licensing/distribution. The module doesn't sufficiently filter atom properties such as the atom title when outputting atoms, thereby exposing a Cross...

4.3CVSS5.6AI score0.01425EPSS
Exploits1References9
Drupal
Drupal
added 2013/07/17 12:0 a.m.13 views

SA-CONTRIB-2013-059 - Hostmaster (Aegir) - Access Bypass

This install profile and accompanying suite of modules enables you to install, upgrade, deploy, and backup Drupal sites among other things. The module doesn't sufficiently control access to running tasks on sites, under the scenario where a user successfully guesses a sites' path in the Aegir...

6.9AI score
Exploits0References12
Drupal
Drupal
added 2013/07/17 12:0 a.m.9 views

SA-CONTRIB-2013-058 - MRBS - Abandoned - Mutliple vulnerabilities

MRBS is a free, GPL, web application using PHP and MySQL/pgsql for booking meeting rooms or other resources. The module doesn't sufficiently filter user supplied data when creating queries which leads to a SQL injection vulnerability. CVE identifiers issued ACVE identifier will be requested, and...

8.2AI score
Exploits0References9
Drupal
Drupal
added 2013/07/10 12:0 a.m.27 views

SA-CONTRIB-2013-055 - Hatch - Cross Site Scripting

Hatch theme is a simple and minimal portfolio theme for photographers, illustrators, designers, or photobloggers. The theme didn't sufficiently escape user supplied text prior to printing them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

2.1CVSS6.4AI score0.00931EPSS
Exploits0References9
Drupal
Drupal
added 2013/07/10 12:0 a.m.30 views

SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service

This module saves time and disk space by sending requests to your development environment's files directory to the production environment and making a copy of the production file in your development site. An attacker could make repeated requests to the server, even over a long period, which would...

5CVSS6.3AI score0.01553EPSS
Exploits0References9
Drupal
Drupal
added 2013/07/10 12:0 a.m.19 views

SA-CONTRIB-2013-057 - TinyBox - Cross Site Scripting (XSS)

TinyBox module uses TinyBox, a lightweight and standalone modal window script. The main purpose of this module is to provide Splash Screen/Window as simple as possible. The module doesn't filter user-supplied text prior to display. The vulnerability is mitigated by the fact that an attacker must...

2.1CVSS6.3AI score0.01089EPSS
Exploits0References11
Drupal
Drupal
added 2013/06/26 12:0 a.m.17 views

SA-CONTRIB-2013-054 - Fast Permissions Administration - Access Bypass

The Fast Permissions Administration module enables you to use inline filters on the permissions page, as well as loading the permissions form through a modal dialog. The module doesn't sufficiently check user access for the modal content callback, allowing unauthorized access to the permissions...

7.5CVSS6.4AI score0.01527EPSS
Exploits0References11
Drupal
Drupal
added 2013/06/19 12:0 a.m.30 views

SA-CONTRIB-2013-053 - Login Security - Multiple Vulnerabilities

Login Security module adds additional access controls to the login form of Drupal. When Login Security is configured to use the delay feature, frequent or concurrent failed attempts to login can consume all the web serving processes, causing a denial of service. It is possible to bypass Login...

9.8CVSS9.4AI score0.01727EPSS
Exploits0References10
Drupal
Drupal
added 2013/06/12 12:0 a.m.20 views

SA-CONTRIB-2013-052 - Display Suite - Cross Site Scripting (XSS)

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize entity bundle labels, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

4.3CVSS5.6AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2013/06/05 12:0 a.m.19 views

SA-CONTRIB-2013-051 - Services - Cross site request forgery (CSRF)

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols. The module doesn't sufficiently verify writing requests POST, PUT, DELETE with session cookie authentication, thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

6.8CVSS6.7AI score0.00727EPSS
Exploits0References10
Drupal
Drupal
added 2013/05/29 12:0 a.m.20 views

SA-CONTRIB-2013-050 - Webform - Cross Site Scripting (XSS)

The Webform module allows the creation of custom webforms and surveys. Webform module does not sanitize the labels of created components fields when displaying a list of components to be used in e-mails or downloaded CSV files. This vulnerability is mitigated by the fact that an attacker must hav...

4.3CVSS6.3AI score0.01284EPSS
Exploits0References10
Drupal
Drupal
added 2013/05/29 12:0 a.m.19 views

SA-CONTRIB-2013-048 - Edit Limit - Access Bypass

Edit Limit enables you to set time and count-based limits on how and when a user can edit nodes or comments. The module doesn't sufficiently check user access when editing comments to see if the user has the necessary permissions to edit a comment outside of the limits applied by this module. Thi...

5CVSS6.3AI score0.01556EPSS
Exploits0References10
Drupal
Drupal
added 2013/05/29 12:0 a.m.29 views

SA-CONTRIB-2013-049 - Node access user reference - Access Bypass

This module allows different access permissions to be given to authors, referenced users and non-referenced users. When an author has created content containing a user reference field with author update/delete grants enabled and the author's user account is later deleted, content created by them...

5.8CVSS6.3AI score0.01309EPSS
Exploits1References12
Drupal
Drupal
added 2013/05/15 12:0 a.m.22 views

SA-CONTRIB-2013-047 - Google Authenticator login - Access Bypass

This module will allow you to add Time-based One-time Password Algorithm also called "Two Step Authentication" or "Multi-Factor Authentication" support to user logins. It works with Google's Authenticator app system and support most if not all OATH based HOTP/TOTP systems. Accidental removal of...

6.5AI score
Exploits0References10
Drupal
Drupal
added 2013/05/01 12:0 a.m.29 views

SA-CONTRIB-2013-046 - Filebrowser - Reflected Cross Site Scripting (XSS)

Filebrowser module allows site administrators to expose a particular file system folder and all of its subfolders with an FTP-like interface to site visitors. The module doesn't sufficiently sanitize user input when presenting lists of files. Because the vulnerability is Reflected Cross Site...

4.3CVSS6.1AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2013/04/17 12:0 a.m.22 views

SA-CONTRIB-2013-045 - Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) - Access bypass

Autocomplete Widgets module adds autocomplete widgets for Text and Number fields. The autocomplete callback implemented by this module does not honor node permissions to access existing fields, allowing users to see field values even though they are not authorized to access that information. This...

4CVSS6.3AI score0.01094EPSS
Exploits0References16
Drupal
Drupal
added 2013/04/17 12:0 a.m.25 views

SA-CONTRIB-2013-044 - elFinder file manager - Cross Site Request Forgery (CSRF)

The elfinder module provides an AJAX-based file manager based on the elFinder javascript library. The module doesn't sufficiently verify requests thereby exposing a Cross Site Request Forgery CSRF vulnerability. This would enable an attacker to create, modify, or delete files on the server. There...

4.3CVSS6.6AI score0.01354EPSS
Exploits0References13
Drupal
Drupal
added 2013/04/17 12:0 a.m.24 views

SA-CONTRIB-2013-043 - MP3 Player - Cross Site Scripting (XSS)

This module enables you to easily enable a Flash MP3 Player on a CCK FileField. The module doesn't sufficiently filter user-supplied text from mp3 filenames. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a node with an mp3 filefield wi...

2.1CVSS6.4AI score0.00931EPSS
Exploits0References8
Drupal
Drupal
added 2013/04/10 12:0 a.m.25 views

SA-CONTRIB-2013-042 - RESTful Web Services (RESTWS) - Denial of Service

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module interferes with Drupal's page cache and allows an attacker to poison the cache with non-HTML page responses, thereby exposing ...

4.3CVSS6.4AI score0.01347EPSS
Exploits0References9
Drupal
Drupal
added 2013/04/03 12:0 a.m.16 views

SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass

This CTools module provides a set of APIs and tools to improve the developer experience. The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the "access content" permission to see the titles of nodes which they shou...

3.5CVSS6.3AI score0.01772EPSS
Exploits0References12
Drupal
Drupal
added 2013/04/03 12:0 a.m.20 views

SA-CONTRIB-2013-040 - Commerce Skrill (Formerly Moneybookers) - Access bypass

This module integrates the Skrill online payment services with Drupal Commerce. When processing Instant payment notifications IPN, the "Moneybookers enterprise" payment method provided by the Commerce Skrill contributed module does not perform sufficient access checking, potentially allowing forg...

7.5CVSS7.5AI score0.01094EPSS
Exploits0References11
Drupal
Drupal
added 2013/03/27 12:0 a.m.24 views

SA-CONTRIB-2013-039 - Commons Wikis - Access bypass & Privilege escalation

The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Wikis module is used by the distribution to provide specific wiki functionality. Versions 3.0 and earlier of the Commons Wikis module is vulnerable to an access bypass and privilege...

5CVSS6.7AI score0.02558EPSS
Exploits0References13
Drupal
Drupal
added 2013/03/27 12:0 a.m.17 views

SA-CONTRIB-2013-036 - Zero Point - Cross Site Scripting (XSS)

Zero Point is a theme which includes many options, ideal for a wide range of sites. The theme does not escape user supplied text which creates a reflected Cross site scripting XSS vulnerability in URLs. There are no mitigating factors. CVE identifiers issued CVE-2013-1905 Versions affected...

4.3CVSS5.5AI score0.02227EPSS
Exploits0References9
Drupal
Drupal
added 2013/03/27 12:0 a.m.27 views

SA-CONTRIB-2013-037 - Rules - Cross Site Scripting (XSS)

The Rules module allows site administrators to define conditionally executed actions based on occurring events known as reactive or ECA rules. It's a replacement with more features for the trigger module in core. The module contains a persistent cross site scripting XSS vulnerability due to the...

4.3CVSS5.4AI score0.01148EPSS
Exploits0References9
Drupal
Drupal
added 2013/03/27 12:0 a.m.21 views

SA-CONTRIB-2013-038 - Commons Groups - Access bypass & Privilege escalation

The Drupal Commons distribution is a tool for building social, group-based collaboration communities. The Commons Groups module is used by the distribution to provide specific Organic Groups customizations. Versions 3.0 and earlier of the Commons Groups module is vulnerable to an access bypass an...

5CVSS6.7AI score0.02908EPSS
Exploits0References13
Drupal
Drupal
added 2013/03/20 12:0 a.m.23 views

SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented. The module incorrectly prints some view configuration fields without proper sanitization opening a Cross-Site Scripting...

2.1CVSS5.8AI score0.02046EPSS
Exploits0References12
Drupal
Drupal
added 2013/03/13 12:0 a.m.21 views

SA-CONTRIB-2013-034 - Node Parameter Control - Access Bypass

This module enables you to limit the visibility of the fields on the node edit form. The module doesn't sufficiently check access before allowing users to view and edit the configuration options allowing anonymous and authenticated users the ability to view and edit the configuration options. CVE...

6.4CVSS6.2AI score0.02782EPSS
Exploits0References8
Drupal
Drupal
added 2013/02/27 12:0 a.m.26 views

SA-CONTRIB-2013-031 - Premium Responsive theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.25 views

SA-CONTRIB-2013-026 - Best Responsive Theme - Cross Site Scripting (XSS)

Best Responsive theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.7AI score0.01089EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.26 views

SA-CONTRIB-2013-025 - Fresh Theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00962EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.23 views

SA-CONTRIB-2013-032 - Company theme - Cross Site Scripting (XSS)

This third-party contributed theme changes Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.15 views

SA-CONTRIB-2013-033 - Simple Corporate theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.27 views

SA-CONTRIB-2013-030 - Clean Theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.21 views

SA-CONTRIB-2013-024 - Creative Theme - Cross Site Scripting (XSS)

Creative Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.7AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.18 views

SA-CONTRIB-2013-029 - Business theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.01089EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/27 12:0 a.m.25 views

SA-CONTRIB-2013-028 - Responsive Blog Theme - Cross Site Scripting (XSS)

Responsive Blog Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the social icon leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.7AI score0.01064EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/20 12:0 a.m.16 views

SA-CONTRIB-2013-018 - Taxonomy Manager - Cross Site Request Forgery (CSRF)

The Taxonomy Manager provides an advanced interface for administrating taxonomy vocabularies. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is mitigated by the fact that an attacker must trick a user with...

5.1CVSS6.3AI score0.00684EPSS
Exploits0References9
Drupal
Drupal
added 2013/02/20 12:0 a.m.16 views

SA-CONTRIB-2013-019 - Ubercart Views - Cross site scripting (XSS)

Ubercart Views provides Views integration for the Ubercart shopping cart module. The "full name" field in Views is not properly sanitized on output. The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order. CVE...

4.3CVSS6.4AI score0.01161EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/20 12:0 a.m.24 views

SA-CONTRIB-2013-023 - Varnish module - Cross Site Scripting (XSS)

This module provides integration between your Drupal site and the Varnish HTTP Accelerator, an advanced and very fast reverse-proxy system. The module doesn't sufficiently filter user-supplied text provided in the configuration settings. This vulnerability is mitigated by the fact that an attacke...

4.3CVSS6.2AI score0.01284EPSS
Exploits0References13
Drupal
Drupal
added 2013/02/20 12:0 a.m.16 views

SA-CONTRIB-2013-017 - Yandex.Metrics - Cross site scripting (XSS)

The Yandex.Metrics module enables you to install Yandex.Metrica tracking code and watch reports by key indicators of user activity. The module doesn't sufficiently escape Yandex.Metrica service data when being displayed. This vulnerability is mitigated by the fact that it only impacts sites with...

4.3CVSS6.6AI score0.01284EPSS
Exploits0References9
Drupal
Drupal
added 2013/02/20 12:0 a.m.15 views

SA-CONTRIB-2013-022 - Menu Reference - Cross site scripting (XSS)

Module Menu Reference doesn't escape HTML that contains menu link title displayed in Menu Reference "Rendered links" formatter. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer menus and menu items" to insert HTML code in menu link titl...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References9
Drupal
Drupal
added 2013/02/20 12:0 a.m.629 views

SA-CORE-2013-002 - Drupal core - Denial of service

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becomi...

5CVSS6AI score0.01848EPSS
Exploits0References16
Drupal
Drupal
added 2013/02/20 12:0 a.m.21 views

SA-CONTRIB-2013-021 - Display Suite - Cross Site Scripting (XSS)

Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. In certain situations, Display Suite does not properly sanitize user-supplied data, allowing a malicious user to embed scripts within a page, resulting in a Cross-site Scripting XSS...

4.3CVSS5.6AI score0.01325EPSS
Exploits0References10
Drupal
Drupal
added 2013/02/20 12:0 a.m.27 views

SA-CONTRIB-2013-020 - Ubercart - Cross site scripting (XSS)

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. The "full name" field in Views did not properly sanitize output. The vulnerability is mitigated by the fact that an attacker must get far enough in the checkout process to store their name with an order. C...

4.3CVSS6.3AI score0.01161EPSS
Exploits0References10
Total number of security vulnerabilities1940