Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2013/02/13 12:0 a.m.22 views

SA-CONTRIB-2013-016 - Banckle Chat - Access bypass - Unsupported

This module enables you to chat with the visitors of your web site. The module doesn't sufficiently check access to its admin pages. This vulnerability is not mitigated. CVE identifiers issued CVE-2013-0318 Versions affected All Banckle Chat 7.x-1.x versions. Drupal core is not affected. If you d...

10CVSS6.4AI score0.02043EPSS
Exploits0References8
Drupal
Drupal
added 2013/02/13 12:0 a.m.23 views

SA-CONTRIB-2013-015 - Manager Change for Organic Groups - Cross site scripting (XSS)

This module extends Organic Groups to allow the manager of a group to select a new manager for their group ie if they want to leave the group. The autocomplete field for selecting a new manager didn't properly filter usernames. The vulnerability is mitigated by the fact that Drupal's default...

4.3CVSS5.9AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2013/02/06 12:0 a.m.18 views

SA-CONTRIB-2013-027 - Professional theme - Cross Site Scripting (XSS)

This third-party contributed theme change Drupal's interface. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/01/30 12:0 a.m.16 views

SA-CONTRIB-2013-013 - Boxes - Cross site scripting (XSS)

The subject field for the included simple box doesn't escape HTML properly. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer/edit boxes. Wikipedia has more information about cross site scripting XSS. CVE identifiers issued CVE-2013-02...

2.1CVSS5.5AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
added 2013/01/30 12:0 a.m.22 views

SA-CONTRIB-2013-014 - Drush Debian Packaging - Information Disclosure - Unsupported

This package is a tool to build debian packages from a Drupal instance. The module doesn't sufficiently protect database credentials. This vulnerability is mitigated by the fact that an attacker must have shell access to the server. CVE identifiers issued CVE-2013-0260 Versions affected All...

2.1CVSS6.4AI score0.00312EPSS
Exploits0References8
Drupal
Drupal
added 2013/01/30 12:0 a.m.27 views

SA-CONTRIB-2013-011 - email2image - Access Bypass - Unsupported

This module creates images of user email addresses and email fields. The module doesn't sufficiently check node access restrictions when displaying such fields. This vulnerability is mitigated by the fact that it only impacts sites using node access. CVE identifiers issued CVE-2013-0257 Versions...

5CVSS6.5AI score0.01173EPSS
Exploits0References8
Drupal
Drupal
added 2013/01/30 12:0 a.m.29 views

SA-CONTRIB-2013-012 - Google Authenticator login - Access Bypass

This module will allow you to add Time-based One-time Password Algorithm also called "Two Step Authentication" or "Multi-Factor Authentication" support to user logins. Users with the permission to use multi-factor authentication need to associate a Google Authenticator token with their acount...

6.8CVSS6.3AI score0.01394EPSS
Exploits0References10
Drupal
Drupal
added 2013/01/23 12:0 a.m.21 views

SA-CONTRIB-2013-007 User Relationships - Cross Site Scripting (XSS)

The User Relationships module allows you to create multiple relationship types and maintain relationships between users in your Drupal site. The module does not sufficiently escape relationship names before display. This allows users with the correct permissions to create relationship names...

2.1CVSS6.4AI score0.01041EPSS
Exploits0References8
Drupal
Drupal
added 2013/01/23 12:0 a.m.21 views

SA-CONTRIB-2013-010 - Search API sorts - Cross Site Scripting (XSS)

This module enables you to sort by Search API facets. The module doesn't sufficiently filter user entered text in field labels. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to modify field labels such as "administer taxonomy". CVE identifiers issu...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References9
Drupal
Drupal
added 2013/01/23 12:0 a.m.22 views

SA-CONTRIB-2013-009 - Keyboard Shortcut Utility - Access Bypass - module unsupported

The Keyboard Shortcut Utility module enables you to create keyboard shortcuts on your website. You can create a shortcut to go to a page internal or external or call a JavaScript function. The module doesn't sufficiently check node access to view nodes for users who have "view shortcuts"...

6CVSS6.3AI score0.00945EPSS
Exploits0References9
Drupal
Drupal
added 2013/01/23 12:0 a.m.30 views

SA-CONTRIB-2013-006 - Video - Arbitrary Code Execution

The video module enables you to upload video and audio files and transcode them into other formats and sizes using other tools like FFmpeg or Zencoder. The module saves information about the FFmpeg executable in a temporary PHP file, but doesn't check if the file has been tampered with when readi...

4.4CVSS6.3AI score0.00303EPSS
Exploits0References9
Drupal
Drupal
added 2013/01/23 12:0 a.m.13 views

SA-CONTRIB-2013-008 - CurvyCorners - Cross Site Scripting (XSS) - module unsupported

The CurvyCorners module enables you to create rounded corners on HTML block elements. The module doesn't sufficiently filter user entered text when being displayed. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer curvycorners". CVE...

2.1CVSS6.2AI score0.02003EPSS
Exploits0References8
Drupal
Drupal
added 2013/01/16 12:0 a.m.18 views

SA-CONTRIB-2013-003 - RESTful Web Services - Cross site request forgery (CSRF)

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

6.8CVSS6.3AI score0.00673EPSS
Exploits0References8
Drupal
Drupal
added 2013/01/16 12:0 a.m.688 views

SA-CORE-2013-001 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Cross-site scripting Various core and contributed modules - Drupal 6 and 7 A reflected cross-site scripting vulnerability XSS was identified in certain Drupal JavaScript functions that pass unexpected user input in...

4.3CVSS5.4AI score0.02144EPSS
Exploits0References28
Drupal
Drupal
added 2013/01/16 12:0 a.m.25 views

SA-CONTRIB-2013-005 - Mark Complete Module - Cross Site Request Forgery (CSRF)

This module enables you to update a date field on a node via an AJAX link on the node view page. The module doesn't sufficiently guard against Cross Site Request Forgery CSRF. CVE identifiers issued CVE-2013-0207 Versions affected Mark Complete 7.x-1.x versions prior to 7.x-1.1. Drupal core is no...

6.8CVSS6.4AI score0.00643EPSS
Exploits0References10
Drupal
Drupal
added 2013/01/09 12:0 a.m.19 views

SA-CONTRIB-2013-002 - Payment - Access Bypass

Payment enables other modules to make payments using a variety of payment processing services. The module incorrectly grants access when checking if a user can view payments, allowing a user to access the payments of other users. CVE identifiers issued CVE-2013-0182 Versions affected Payment...

5CVSS6.4AI score0.01369EPSS
Exploits0References10
Drupal
Drupal
added 2013/01/09 12:0 a.m.22 views

SA-CONTRIB-2013-001 - Search API - Cross Site Scripting

This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input when displaying errors in a view with certain backends, including the database backend. This enables attackers to create a Reflected Cross Site...

2.6CVSS5.5AI score0.0135EPSS
Exploits0References11
Drupal
Drupal
added 2012/12/19 12:0 a.m.23 views

SA-CONTRIB-2012-174 - Context - Information Disclosure

Context has functionality that renders block content for use with its inline editor. When these requests are made the context module does not sufficiently ensure that users have access to the block. A malicious user could send a specially crafted request and get access to block content they shoul...

5CVSS5.8AI score0.01663EPSS
Exploits1References10
Drupal
Drupal
added 2012/12/19 12:0 a.m.614 views

SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7. Access bypass User module search - Drupal 6 and 7 A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users. This...

6CVSS6.9AI score0.02746EPSS
Exploits1References27
Drupal
Drupal
added 2012/12/05 12:0 a.m.26 views

SA-CONTRIB-2012-173 - Nodewords: Information disclosure

This module enables you to assign meta tags on Drupal 6 sites to aid with 3rd party search indexing and sharing on social networks. The module doesn't correctly filter node content when configured to automatically generate descriptions meta tags from the node text. This lack of filtering could...

4.3CVSS6.4AI score0.01191EPSS
Exploits0References12
Drupal
Drupal
added 2012/11/28 12:0 a.m.21 views

SA-CONTRIB-2012-169 - Email Field - Cross Site Scripting and Access bypass

The email module provides a field type CCK / FieldAPI for storing email addresses and a formatter to output the email address as a link to a contact form. The contact form formatter allows a site visitor to email the stored address without letting them see what that e-mail address is. Access bypa...

5.9AI score
Exploits0References10
Drupal
Drupal
added 2012/11/28 12:0 a.m.19 views

SA-CONTRIB-2012-168 - Services - Information Disclosure

This module enables you to access content from a remote client. The module doesn't sufficiently adhere to standard Drupal permissions and exposes users emails via the user index method. This vulnerability is mitigated by the fact that an attacker most know the path to the user resource and must b...

2.1CVSS6.4AI score0.00957EPSS
Exploits0References8
Drupal
Drupal
added 2012/11/28 12:0 a.m.21 views

SA-CONTRIB-2012-172 - Zero Point - Cross Site Scripting (XSS)

Zero Point is an advanced theme which includes many options, ideal for a wide range of sites. The theme does not escape path aliases exposing a Cross site scripting XSS vulnerability in URLs. There are no mitigating factors. CVE: CVE-2012-5591 Versions affected zeropoint 6.x-1.x versions prior to...

4.3CVSS5.6AI score0.01161EPSS
Exploits0References12
Drupal
Drupal
added 2012/11/28 12:0 a.m.25 views

SA-CONTRIB-2012-170 - MultiLink - Access Bypass

MultiLink allows you to generate in-content links to a suitable node or node translation based on the visitor's language preferences. It allows the Node Title of the target node to be shown as the visible text and title attribute for the generated link. Prior to versions 6.x-2.7 and 7.x-2.7 the...

3.5CVSS6.3AI score0.00962EPSS
Exploits0References11
Drupal
Drupal
added 2012/11/28 12:0 a.m.21 views

SA-CONTRIB-2012-167 - Mixpanel - Cross site scripting (XSS)

This module provides integration with the Mixpanel real-time analytics service. The module doesn't sufficiently escape the Mixpanel token when adding the tracking Javascript to the page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access...

2.1CVSS6.4AI score0.01041EPSS
Exploits0References10
Drupal
Drupal
added 2012/11/28 12:0 a.m.23 views

SA-CONTRIB-2012-171 - Webmail Plus - SQL injection - (unsupported)

The Webmail plus module is a full-featured email client for Drupal. It's designed to provide email for any or all members of a Drupal site. The module doesn't sufficiently sanitize user input as it is used in a database query. CVE: CVE-2012-5590 Versions affected All Webmail Plus module versions...

7.5CVSS6.5AI score0.0121EPSS
Exploits0References8
Drupal
Drupal
added 2012/11/14 12:0 a.m.24 views

SA-CONTRIB-2012-164 - Smiley module and Smileys module - Cross Site Scripting (XSS)

These modules enable you to substitutes text emoticons, like :-, with images. These modules don't sufficiently sanitize user defined smiley acronyms before displaying smiley images. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

4.8CVSS5.1AI score0.00963EPSS
Exploits0References10
Drupal
Drupal
added 2012/11/14 12:0 a.m.21 views

SA-CONTRIB-2012-163 - User Read-Only - Permission escalation

User Read-only is a module that allows an administrator to prevent modification of user account/profile fields. The administrator can select which fields will allow or disallow editing. The module can mistakenly assign roles when performing unrelated operations against a user's account such as...

3.6CVSS6.3AI score0.01433EPSS
Exploits0References11
Drupal
Drupal
added 2012/11/14 12:0 a.m.17 views

SA-CONTRIB-2012-165 - Chaos tool suite (ctools) - Cross Site Scripting (XSS)

The Chaos tool suite is primarily a set of APIs and tools to improve the developer experience. The page manager node view task does not sufficiently escape node titles when setting the page title, allowing XSS. This vulnerability is partially mitigate by the node task being disabled by default an...

2.6CVSS6AI score0.01783EPSS
Exploits0References11
Drupal
Drupal
added 2012/11/14 12:0 a.m.24 views

SA-CONTRIB-2012-162 - RESTful Web Services - Cross site request forgery (CSRF)

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The module doesn't sufficiently verify POST requests thereby exposing a Cross Site Request Forgery vulnerability. This vulnerability is...

6.8CVSS6.2AI score0.00643EPSS
Exploits0References8
Drupal
Drupal
added 2012/11/14 12:0 a.m.35 views

SA-CONTRIB-2012-166 - Table of Contents - Access Bypass

This module enables you to generates a list of select header tags in a box that looks like a table of contents or summary. The links added to that box point to the headers so users can quickly access each section of your documents. The module doesn't sufficiently check for node access restriction...

4.3CVSS6.3AI score0.01191EPSS
Exploits0References9
Drupal
Drupal
added 2012/11/07 12:0 a.m.20 views

SA-CONTRIB-2012-161 - Webform CiviCRM Integration - Access Bypass

Webform CiviCRM integration allows you to expose contact data via Webforms. Depending on what fields you have exposed in your form, this may include personal information such as birthdate, phone number, email address, etc. Proper permission settings are important to keep this information from...

5CVSS6AI score0.01369EPSS
Exploits0References9
Drupal
Drupal
added 2012/11/07 12:0 a.m.23 views

SA-CONTRIB-2012-160 - OM Maximenu - Cross Site Scripting (XSS)

This module enables you to create custom menus with effects and integrate module blocks as it's menu item content. The module doesn't sufficiently state the risk of giving permission to create OM Maximenus. This vulnerability is mitigated by the fact that an attacker must have a role with the...

2.1CVSS6.1AI score0.00941EPSS
Exploits0References12
Drupal
Drupal
added 2012/10/31 12:0 a.m.24 views

SA-CONTRIB-2012-159 - Password policy - Information leakage of hashed passwords

This module provides a way to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a password policy. The Password policy module allows administrators to request users to enter a new password that does not match any of the previous X...

5CVSS6.3AI score0.01369EPSS
Exploits0References11
Drupal
Drupal
added 2012/10/24 12:0 a.m.19 views

SA-CONTRIB-2012-157 - Time Spent - Multiple Vulnerabilities - (unsupported)

The Time Spent module tracks the time a registered user spends on a site and a site's content. The module doesn't sufficiently sanitize user input. Cross site scripting, cross-site request forgery, and SQL injection vulnerabilities have all been found. Note that none of these vulnerabilities have...

7.5CVSS7.3AI score0.0113EPSS
Exploits0References9
Drupal
Drupal
added 2012/10/24 12:0 a.m.23 views

SA-CONTRIB-2012-158 - MailChimp - Cross Site Scripting (XSS)

This module provides integration with the MailChimp email delivery service. There are two issues with the webhook processing, which is exposed as an API in mailchimp.module and used by mailchimplists.module to update subscriber information. The webhook URL key can be trivially calculated. Webhook...

4.3CVSS6.4AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2012/10/17 12:0 a.m.667 views

SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

Multiple vulnerabilities were discovered in Drupal core. Arbitrary PHP code execution A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PH...

6.8CVSS7AI score0.15812EPSS
Exploits4References18
Drupal
Drupal
added 2012/10/17 12:0 a.m.20 views

SA-CONTRIB-2012-156 - Search API - Cross Site Request Forgery (CSRF)

This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently guard the “enable index” action against Cross Site Request Forgery CSRF attacks which could allow an attacker to enable existing search indexes on your site. This...

6.8CVSS6.5AI score0.00636EPSS
Exploits0References8
Drupal
Drupal
added 2012/10/10 12:0 a.m.18 views

SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS)

This module enables integration with the ShareThis web service to allow social bookmarking amongst your users. The module doesn't sufficiently filter JavaScript settings before outputting them. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

2.1CVSS6.3AI score0.00941EPSS
Exploits0References13
Drupal
Drupal
added 2012/10/10 12:0 a.m.21 views

SA-CONTRIB-2012-154 - Basic webmail - Multiple vulnerabilities

This module allows site users to read and write e-mail through an IMAP mail server. There are four issues being addressed by this security advisory: The module doesn't sufficiently sanitize data when setting page title. The module may store Drupal login IDs and passwords in plain text in the data...

4.3CVSS4.4AI score0.0181EPSS
Exploits0References11
Drupal
Drupal
added 2012/10/10 12:0 a.m.16 views

SA-CONTRIB-2012-153 - Mandrill - Information Disclosure

This module enables you to send emails using an external gateway and by default logs the contents of the messages. An attacker who gains access to the Mandrill dashboard can trigger password reset emails from the Drupal site, get the reset links from the Mandrill logs, and take over an account...

4CVSS6.6AI score0.01082EPSS
Exploits0References12
Drupal
Drupal
added 2012/10/10 12:0 a.m.20 views

SA-CONTRIB-2012-152 - Feeds - Access bypass

The feeds module enables you to import or aggregate data as nodes, users, taxonomy terms or simple database records. The module doesn't sufficiently check permissions when creating nodes on behalf of a user. This vulnerability is mitigated by the fact that an attacker must have control over the...

4.3CVSS6.4AI score0.01168EPSS
Exploits0References11
Drupal
Drupal
added 2012/10/03 12:0 a.m.15 views

SA-CONTRIB-2012-151 - Commerce Extra Panes - Cross Site Request Forgery

This module, an add-on for Drupal Commerce, allows site builders to place one or more nodes in one of the checkout phases of an order. The module doesn't sufficiently confirm the intent of a site builder when taking certain administrative operations. This could allow an attacker to trick an...

6.8CVSS6.3AI score0.00711EPSS
Exploits0References8
Drupal
Drupal
added 2012/10/03 12:0 a.m.27 views

SA-CONTRIB-2012-149 - Hostip - Cross Site Scripting (XSS)

Hostip enables you to query the http://www.hostip.info/ API to get the country / state information based on the user's IP address or a specific IP passed to it. The module fails to sanitize data retrieved from an untrusted third party source, thereby exposing an arbitrary script injection...

4.3CVSS6.4AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2012/10/03 12:0 a.m.17 views

SA-CONTRIB-2012-150 - Twitter Pull - Cross Site Scripting (XSS)

Twitter Pull allows you to retrieve tweets from Twitter based on a user or search and display them on your site. It also includes integration with the boxes module to allow for simple placement of twitter feeds on various pages. The module doesn't sufficiently filter the data coming from Twitter...

4.3CVSS6AI score0.01161EPSS
Exploits0References11
Drupal
Drupal
added 2012/09/26 12:0 a.m.19 views

SA-CONTRIB-2012-148 - OG - Access Bypass

OG Organic groups enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. A group membership can be given immediately upon subscribing, or be pending - waiting for a group administrat...

3.5CVSS6.4AI score0.00951EPSS
Exploits0References11
Drupal
Drupal
added 2012/09/19 12:0 a.m.16 views

SA-CONTRIB-2012-142 - Spambot - Cross Site Scripting (XSS)

The Spambot module enables you to protect new user registrations from spammers using the database at stopforumspam.com. Spambot doesn't sufficiently sanitize API responses from stopforumspam.com when they are logged to the watchdog, allowing a potential XSS attack. This vulnerability is mitigated...

2.6CVSS5.8AI score0.01319EPSS
Exploits0References12
Drupal
Drupal
added 2012/09/19 12:0 a.m.16 views

SA-CONTRIB-2012-145 - Imagemenu - Cross Site Scripting (XSS)

Imagemenu module allows you to create Drupal menus from images files. The module doesn't sufficiently escape image file names when rendering menus, allowing a potential XSS attack. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

2.1CVSS5.7AI score0.01041EPSS
Exploits0References13
Drupal
Drupal
added 2012/09/19 12:0 a.m.19 views

SA-CONTRIB-2012-144 Fonecta verify - Cross Site Scripting (XSS)

Fonecta verify provides an interface to retrieve information from the Finnish Fonecta company information database. The module contains an arbitrary script injection vulnerability XSS due to the fact that it fails to sanitize data retrieved from an untrusted third party source. This vulnerability...

4.3CVSS6.2AI score0.01161EPSS
Exploits0References9
Drupal
Drupal
added 2012/09/19 12:0 a.m.35 views

SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting (XSS)

The Drupal FileField module lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means. The FileField Sources module contains a persistent cross site scripting XSS...

2.1CVSS5.5AI score0.00941EPSS
Exploits0References9
Total number of security vulnerabilities1940