1940 matches found
SA-CONTRIB-2012-093 - Node Embed - Access Bypass
Node Embed gives content editors an interface for selecting and embedding nodes using a WYSIWYG editor. The interface for selecting nodes is a page that had no access check, allowing users to view node titles they might not have access to. This issue only affects your site if you have unpublished...
SA-CONTRIB-2012-094 - Maestro module - Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS)
The Maestro module is a workflow engine/solution that facilitates simple and complex business process automation. The module doesn't sufficiently filter user-supplied data in its admin screens leading to a Cross Site Scripting XSS vulnerability. A Cross Site Request Forgery vulnerability in the...
SA-CONTRIB-2012-095 - Simplenews - Information Disclosure
Simplenews publishes and sends newsletters. When subscribing to a Simplenews mailing list, confirmation may be required, and Simplenews may disclose the user's e-mail address on the confirmation page. Further, due to the absence of a noindex tag, the list of e-mail addresses can subsequently be...
SA-CONTRIB-2012-088 - Mobile Tools - Cross Site Scripting (XSS)
Mobile Tools provides Drupal developers with some tools to assist in making a site mobile. The module contains several persistent cross site scripting XSS vulnerabilities due to the fact that it fails to sanitize user supplied values before display. CVE: CVE-2012-2717 Versions affected Mobile Too...
SA-CONTRIB-2012-090 - File depot - Session Management Vulnerability
The filedepot module is a Document Management module. It fulfills the need for an integrated file management module supporting role and user based security. Documents can be saved outside the Drupal public directory to protect documents for safe access and distribution. The module has a Session...
SA-CONTRIB-2012-089 - Counter - SQL Injection (unsupported)
Counter module counts how many visitors on your website. This module provides real time counting with all data saved to the database. The module doesn't sufficiently filter user supplied text when recording visits to the database which leads to a SQL Injection vulnerability. CVE: CVE-2012-2718...
SA-CONTRIB-2012-087 - Comment Moderation - Cross Site Request Forgery
This module enables you to moderate comments in an accelerated way, by providing a complete interface and all useful actions in a unique page. The module doesn't sufficiently protect the publish link URL, thus a Cross Site Request Forgery CSRF attack against an administrator could result in...
SA-CONTRIB-2012-086 - Amadou - Cross Site Scripting
The Amadou theme outputs additional first and last classes to the list of links to help out themers. This was being done in a way that was not secure. A Cross Site Scripting XSS vulnerability was identified in Amadou theme's themeslinks function in the template.php file, which was fixed in the...
SA-CONTRIB-2012-083 - Taxonomy List - Cross Site Scripting (XSS)
CVE: CVE-2012-2711 This module enables you to display the terms and optionally nodes under categories. The module doesn't sufficiently sanitize user supplied text in the taxonomy information. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create ...
SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities
CSRF Issue: CVE: CVE-2012-2713 BrowserID login theft: CVE: CVE-2012-2714 The BrowserID module provides integration with BrowserID also known as Mozilla Persona -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site...
SA-CONTRIB-2012-084 - Search API - Cross Site Scripting (XSS)
CVE: CVE-2012-2712 This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input in some cases when throwing exceptions or logging errors. This enables attackers to insert arbitrary data into a page by...
SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass
CVE: CVE-2012-2702. This module enables you to sell product keys from an Ubercart store. Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key. Versions affected Ubercart Product Keys...
SA-CONTRIB-2012-077 - Advertisement - Cross Site Scripting & Information Disclosure
XSS Issue: CVE: CVE-2012-2703. Access bypass: CVE: CVE-2012-2704 This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages. The module could, under certain conditions, expose limited site configuration information and a debugging mode did not...
SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass and Cross Site Scripting (XSS)
Cross Site Scripting CVE: CVE-2012-2708. Hostmaster displays a log from tasks executed in Aegir's backend component, provision. In certain circumstances these log messages were not escaped properly before being displayed to the user. This vulnerability is mitigated by the fact that people wishing...
SA-CONTRIB-2012-082 - Zen - Cross Site Scripting
CVE: CVE-2012-2710. The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by the...
SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting
CVE: CVE-2012-2907. The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by...
SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported
Update: this module has been fixed 2014-03-21. Please go the project page and download the most current release. XSS: CVE: CVE-2012-2706 Access bypass: CVE: CVE-2012-3802 Post Affiliate Pro PAP is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application. The modu...
SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)
CVE: CVE-2012-2705. The function filtertitles incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue. Versions affected...
SA-CONTRIB-2012-075 - Take Control - Cross Site Request Forgery (CSRF)
CVE: CVE-2012-2341 This module enables you to manage your Drupal file-system from within Drupal itself. The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack. This vulnerability is mitigated by the fact that the attacker must be ab...
SA-CONTRIB-2012-074 - Contact Forms - Access Bypass
CVE: CVE-2012-2340 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form without a drop down menu with a unique path for each of the contact form categories. The module allowed users to edit the Contact...
SA-CONTRIB-2012-073 - Glossary - Cross-Site Scripting (XSS)
CVE: CVE-2012-2339 The glossary module scans posts for glossary terms, adding an indicator. By hovering over the indicator, users may learn the definition of that term. The module does not sufficiently sanitize the taxonomy information. This leaves sites vulnerable to Cross-Site Scripting attacks...
SA-CORE-2012-002 - Drupal core multiple vulnerabilities
Denial of Service CVE: CVE-2012-1588 Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted...
SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported
CVE: CVE-2012-2309 This module generates internal node to node, node to taxonomy or node to external URL links crosslinks automatically - ideal for SEO of your site's pages and partner pages. This module does not protect against an Cross Site Scripting XSS attack. The vulnerability is mitigated b...
SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported
CVE: CVE-2012-2308 This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected. This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an...
SA-CONTRIB-2012-072 - cctags - Cross Site Scripting (XSS)
CVE: CVE-2012-2310 This module enables you to create "tag clouds" with taxonomy terms displayed in different sizes depending on how frequently they are used on a site. The module doesn't sufficiently filter user supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability...
SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported
This module contains a simple addressbook. The module has multiple issues including SQL Injection and Cross Site Request Forgery. For the SQL Injection issue - CVE: CVE-2012-2306 For the CSRF issue - CVE: CVE-2012-2307 Versions affected 6.x-4.2 and before Drupal core is not affected. If you do no...
SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported
CVE: CVE-2012-2305 Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system. This module does not protect a CSRF attack when creating node galleries. Versions affected 6.x-3.1 and before Drupal core is not affected. If you d...
SA-CONTRIB-2012-067 - Linkit - Access bypass
CVE: CVE-2012-2304 Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field. When searching for entities, no access restrictions were added and users may s...
SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities
The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability. Failure to encrypt data: Exploitable from local CVE: CVE-2012-2299...
SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS)
CVE: CVE-2012-2298 This module allows you to set a pattern for constructing "Real names" for users out of profile fields. The module does not sufficiently escape users' real names under certain circumstances which could lead to a Cross-Site Scripting XSS attack. Versions affected RealName 6.x-1.x...
SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS)
CVE: CVE-2012-2297 The Creative Commons module allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. The module did not sufficiently filter the text describing licenses. This vulnerability is mitigated by the fact that an attacker...
SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass
CVE: CVE-2012-2303 Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces and spacesog modules part of the spaces package in some cases do not apply the...
SA-CONTRIB-2012-065 - Sitedoc - Information disclosure
CVE: CVE-2012-2302 This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison. The module doesn't sufficiently verify that the saved file is protected by the Private File System. This...
SA-CONTRIB-2012-061 - Gigya - Social optimization - Cross Site Scripting (XSS)
CVE: CVE-2012-2117 The Gigya - Social optimization module provides a single API that aggregates authentication and social APIs from Facebook Connect, MySpace ID, Twitter, and OpenID webmail providers including Google, Yahoo, and AOL. The module doesn't sufficiently escape URL elements which are...
SA-CONTRIB-2012-060 - Commerce Reorder - Cross Site Request Forgery
CVE: CVE-2012-2116 The Commerce Reorder module enables you to reorder previously purchased products for Drupal Commerce. The module does not sufficiently protect the re-order URL against Cross Site Request Forgery CSRF, allowing a malicious user to trick someone into adding unwanted items to thei...
SA-CONTRIB-2012-059 - Autosave - Cross Site Request Forgery
CVE: CVE-2012-2097 This module enables snapshots of your node edit form to be saved in the background while you are editing to help prevent the data from being lost. The module doesn't sufficiently protect against a user being tricked into submitting saved results to a node. Versions affected...
SA-CONTRIB-2012-058 - Fivestar - Input Validation
CVE: CVE-2012-2096 The Fivestar module enables you to add a voting widget to nodes and comments. The module does not sufficiently validate all votes passed by the asynchronous voting widget allowing a malicious user to improperly modify voting averages. Versions affected Fivestar 6.x-1.x versions...
SA-CONTRIB-2012-056 - Janrain Engage - Sensitive Data Protection Vulnerability
CVE: CVE-2012-2296 Using Janrain Engage, Drupal sites can authenticate new and existing users with popular social networks, map user profile data from these websites to Drupal fields, and share Drupal content with a user's friends on their social networks. The module permanently retains the...
SA-CONTRIB-2012-057 - Printer, email and PDF versions - Cross Site Scripting (XSS)
CVE: CVE-2012-2084 This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently escape URL elements which are printed back to the user. Versions affected Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.15...
SA-CONTRIB-2012-052 - Node Limit Number - Cross Site Request Forgery (CSRF)
CVE: CVE-2012-2080 The Node Limit Number module enables an administrator to place limits on how many nodes may be created by each user. Node Limit Number does not protect the delete URL against Cross Site Request Forgery attacks, allowing a malicious user to trick someone with "administer node...
SA-CONTRIB-2012-049 - ShareThis - Multiple Vulnerablies
The XSS issue is CVE: CVE-2012-2076 The CSRF issue is CVE: CVE-2012-2077 The ShareThis module allows you to display social networking tools to users. The administration forms of the module do not properly use the Form API allowing a malicious user to inject unexpected settings, allowing for...
SA-CONTRIB-2012-047 - Ubercart Views - Information disclosure
CVE: CVE-2012-2074 Ubercart Views provides Views integration for the Ubercart shopping cart module, and includes default views that contain a critical information disclosure bug. In some versions, these views are disabled by default, but still disclose information if you enable them. Versions...
SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities
The XSS issue is: CVE: CVE-2012-2078 The CSRF issue is: CVE: CVE-2012-2079 The Activity module keeps track of the things people do on your site and provides mini-feeds of these activities in blocks, in a specialized table, and via RSS. The module is extensible so that any other module can integra...
SA-CONTRIB-2012-046 - Bundle Copy - Arbitrary Code execution
CVE: CVE-2012-2073 Bundle copy is a replacement for the Content copy module which lives in the CCK project for Drupal 6. Besides the ability to import and export content types, taxonomy and user entities are also supported. Field groups can be exported easily as well. The module doesn't...
SA-CONTRIB-2012-054 - Chaos tool suite - Cross Site Scripting (XSS)
CVE: CVE-2012-2082 This suite is primarily a set of APIs and tools to improve the developer experience. It also contains a module called the Page Manager whose job is to manage pages. In particular it manages panel pages, but as it grows it will be able to manage far more than just Panels. The...
SA-CONTRIB-2012-055 - Fusion theme - Cross Site Scripting (XSS)
CVE: CVE-2012-2083 Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components. The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This...
SA-CONTRIB-2012-045 - AddToAny - Cross Site Scripting
CVE: CVE-2012-2072 This module enables you to add Lockerz/AddToAny's universal sharing buttons to your site. Previously, the module did not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fac...
SA-CONTRIB-2012-050 - CDN2 Video - Unsupported
CDN2 is a plug and play module and video management service for Drupal. The module does not sanitize output correctly, allowing for a cross-site scripting XSS vulnerability. Additionally, the Form API is not correctly utilized allowing for cross-site request forgery CSRF attempts. This module...
SA-CONTRIB-2012-044 - Contact Forms - Cross Site Scripting
CVE: CVE-2012-2071 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form with a unique path, for each of the contact form categories. The module doesn't sufficiently filter user text of the page title a...
SA-CONTRIB-2012-053 - Organic Groups - Access Bypass
CVE: CVE-2012-2081 Organic groups OG enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module's Views integration does not filter out information from display groups to whic...