Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2012/06/06 12:0 a.m.19 views

SA-CONTRIB-2012-093 - Node Embed - Access Bypass

Node Embed gives content editors an interface for selecting and embedding nodes using a WYSIWYG editor. The interface for selecting nodes is a page that had no access check, allowing users to view node titles they might not have access to. This issue only affects your site if you have unpublished...

4.3CVSS6.2AI score0.02774EPSS
Exploits1References11
Drupal
Drupal
added 2012/06/06 12:0 a.m.29 views

SA-CONTRIB-2012-094 - Maestro module - Cross Site Request Forgery (CSRF), Cross Site Scripting (XSS)

The Maestro module is a workflow engine/solution that facilitates simple and complex business process automation. The module doesn't sufficiently filter user-supplied data in its admin screens leading to a Cross Site Scripting XSS vulnerability. A Cross Site Request Forgery vulnerability in the...

5.1CVSS5.8AI score0.02117EPSS
Exploits2References12
Drupal
Drupal
added 2012/06/06 12:0 a.m.26 views

SA-CONTRIB-2012-095 - Simplenews - Information Disclosure

Simplenews publishes and sends newsletters. When subscribing to a Simplenews mailing list, confirmation may be required, and Simplenews may disclose the user's e-mail address on the confirmation page. Further, due to the absence of a noindex tag, the list of e-mail addresses can subsequently be...

5.3CVSS5.3AI score0.02453EPSS
Exploits0References13
Drupal
Drupal
added 2012/05/30 12:0 a.m.11 views

SA-CONTRIB-2012-088 - Mobile Tools - Cross Site Scripting (XSS)

Mobile Tools provides Drupal developers with some tools to assist in making a site mobile. The module contains several persistent cross site scripting XSS vulnerabilities due to the fact that it fails to sanitize user supplied values before display. CVE: CVE-2012-2717 Versions affected Mobile Too...

4.3CVSS5.7AI score0.02464EPSS
Exploits1References11
Drupal
Drupal
added 2012/05/30 12:0 a.m.13 views

SA-CONTRIB-2012-090 - File depot - Session Management Vulnerability

The filedepot module is a Document Management module. It fulfills the need for an integrated file management module supporting role and user based security. Documents can be saved outside the Drupal public directory to protect documents for safe access and distribution. The module has a Session...

5.1CVSS6.4AI score0.01547EPSS
Exploits0References10
Drupal
Drupal
added 2012/05/30 12:0 a.m.21 views

SA-CONTRIB-2012-089 - Counter - SQL Injection (unsupported)

Counter module counts how many visitors on your website. This module provides real time counting with all data saved to the database. The module doesn't sufficiently filter user supplied text when recording visits to the database which leads to a SQL Injection vulnerability. CVE: CVE-2012-2718...

7.5CVSS7.5AI score0.01889EPSS
Exploits0References8
Drupal
Drupal
added 2012/05/30 12:0 a.m.23 views

SA-CONTRIB-2012-087 - Comment Moderation - Cross Site Request Forgery

This module enables you to moderate comments in an accelerated way, by providing a complete interface and all useful actions in a unique page. The module doesn't sufficiently protect the publish link URL, thus a Cross Site Request Forgery CSRF attack against an administrator could result in...

6.8CVSS6.5AI score0.00779EPSS
Exploits1References11
Drupal
Drupal
added 2012/05/30 12:0 a.m.20 views

SA-CONTRIB-2012-086 - Amadou - Cross Site Scripting

The Amadou theme outputs additional first and last classes to the list of links to help out themers. This was being done in a way that was not secure. A Cross Site Scripting XSS vulnerability was identified in Amadou theme's themeslinks function in the template.php file, which was fixed in the...

4.3CVSS5.7AI score0.02185EPSS
Exploits1References11
Drupal
Drupal
added 2012/05/23 12:0 a.m.21 views

SA-CONTRIB-2012-083 - Taxonomy List - Cross Site Scripting (XSS)

CVE: CVE-2012-2711 This module enables you to display the terms and optionally nodes under categories. The module doesn't sufficiently sanitize user supplied text in the taxonomy information. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to create ...

2.1CVSS6.3AI score0.01659EPSS
Exploits1References12
Drupal
Drupal
added 2012/05/23 12:0 a.m.17 views

SA-CONTRIB-2012-085 - BrowserID - Multiple Vulnerabilities

CSRF Issue: CVE: CVE-2012-2713 BrowserID login theft: CVE: CVE-2012-2714 The BrowserID module provides integration with BrowserID also known as Mozilla Persona -- a Mozilla project that lets users of your site quickly and easily log in without needing to remember a password specific to your site...

9.8CVSS9.9AI score0.03294EPSS
Exploits1References12
Drupal
Drupal
added 2012/05/23 12:0 a.m.18 views

SA-CONTRIB-2012-084 - Search API - Cross Site Scripting (XSS)

CVE: CVE-2012-2712 This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't sufficiently sanitize user input in some cases when throwing exceptions or logging errors. This enables attackers to insert arbitrary data into a page by...

2.6CVSS6.3AI score0.02155EPSS
Exploits1References11
Drupal
Drupal
added 2012/05/16 12:0 a.m.19 views

SA-CONTRIB-2012-076 - Ubercart Product Keys Access Bypass

CVE: CVE-2012-2702. This module enables you to sell product keys from an Ubercart store. Under certain circumstances, a user can view all unassigned product keys which could grant them access to the software circumventing the process of selling the key. Versions affected Ubercart Product Keys...

5CVSS6.4AI score0.0258EPSS
Exploits1References10
Drupal
Drupal
added 2012/05/16 12:0 a.m.26 views

SA-CONTRIB-2012-077 - Advertisement - Cross Site Scripting & Information Disclosure

XSS Issue: CVE: CVE-2012-2703. Access bypass: CVE: CVE-2012-2704 This module enables you to serve advertisements, define pools of ads and show certain ads on certain pages. The module could, under certain conditions, expose limited site configuration information and a debugging mode did not...

5CVSS5.1AI score0.01873EPSS
Exploits2References12
Drupal
Drupal
added 2012/05/16 12:0 a.m.31 views

SA-CONTRIB-2012-080 - Hostmaster (Aegir) - Access Bypass and Cross Site Scripting (XSS)

Cross Site Scripting CVE: CVE-2012-2708. Hostmaster displays a log from tasks executed in Aegir's backend component, provision. In certain circumstances these log messages were not escaped properly before being displayed to the user. This vulnerability is mitigated by the fact that people wishing...

5.8CVSS6.3AI score0.02428EPSS
Exploits2References11
Drupal
Drupal
added 2012/05/16 12:0 a.m.21 views

SA-CONTRIB-2012-082 - Zen - Cross Site Scripting

CVE: CVE-2012-2710. The Zen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by the...

2.6CVSS5.8AI score0.01783EPSS
Exploits0References13
Drupal
Drupal
added 2012/05/16 12:0 a.m.23 views

SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting

CVE: CVE-2012-2907. The Aberdeen theme provides a configurable breadcrumb which is commonly used as an additional navigation tool for users. The theme outputs the breadcrumb, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This vulnerability is mitigated by...

2.6CVSS5.6AI score0.0135EPSS
Exploits0References12
Drupal
Drupal
added 2012/05/16 12:0 a.m.21 views

SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site Scripting (XSS) and Access Bypass - Unsupported

Update: this module has been fixed 2014-03-21. Please go the project page and download the most current release. XSS: CVE: CVE-2012-2706 Access bypass: CVE: CVE-2012-3802 Post Affiliate Pro PAP is a module providing affiliate functionality for Ubercart and Post Affiliate Pro application. The modu...

4.3CVSS6AI score0.01808EPSS
Exploits0References9
Drupal
Drupal
added 2012/05/16 12:0 a.m.22 views

SA-CONTRIB-2012-078 - Smart Breadcrumb - Cross Site Scripting (XSS)

CVE: CVE-2012-2705. The function filtertitles incorrectly attempts to set a title to plain-text, but does not properly filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have the permission to create or edit a node to exploit the issue. Versions affected...

2.1CVSS6.3AI score0.01607EPSS
Exploits0References11
Drupal
Drupal
added 2012/05/09 12:0 a.m.16 views

SA-CONTRIB-2012-075 - Take Control - Cross Site Request Forgery (CSRF)

CVE: CVE-2012-2341 This module enables you to manage your Drupal file-system from within Drupal itself. The module does not sufficiently validate Ajax calls leading to possibility of a Cross Site Request Forgery CSRF attack. This vulnerability is mitigated by the fact that the attacker must be ab...

6.8CVSS6.3AI score0.00894EPSS
Exploits0References12
Drupal
Drupal
added 2012/05/09 12:0 a.m.23 views

SA-CONTRIB-2012-074 - Contact Forms - Access Bypass

CVE: CVE-2012-2340 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form without a drop down menu with a unique path for each of the contact form categories. The module allowed users to edit the Contact...

3.5CVSS6.1AI score0.01271EPSS
Exploits0References10
Drupal
Drupal
added 2012/05/09 12:0 a.m.30 views

SA-CONTRIB-2012-073 - Glossary - Cross-Site Scripting (XSS)

CVE: CVE-2012-2339 The glossary module scans posts for glossary terms, adding an indicator. By hovering over the indicator, users may learn the definition of that term. The module does not sufficiently sanitize the taxonomy information. This leaves sites vulnerable to Cross-Site Scripting attacks...

4.3CVSS5.8AI score0.01647EPSS
Exploits0References11
Drupal
Drupal
added 2012/05/02 12:0 a.m.676 views

SA-CORE-2012-002 - Drupal core multiple vulnerabilities

Denial of Service CVE: CVE-2012-1588 Drupal core's text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal's text matching was found to be inefficient with certain specially crafted...

5.8CVSS5.8AI score0.02401EPSS
Exploits3References23
Drupal
Drupal
added 2012/05/02 12:0 a.m.23 views

SA-CONTRIB-2012-071 - Glossify - Cross Site Scripting (XSS) - Unsupported

CVE: CVE-2012-2309 This module generates internal node to node, node to taxonomy or node to external URL links crosslinks automatically - ideal for SEO of your site's pages and partner pages. This module does not protect against an Cross Site Scripting XSS attack. The vulnerability is mitigated b...

3.5CVSS5.6AI score0.00936EPSS
Exploits0References7
Drupal
Drupal
added 2012/05/02 12:0 a.m.16 views

SA-CONTRIB-2012-070 - Taxonomy Grid : Catalog - Cross Site Scripting (XSS) - Unsupported

CVE: CVE-2012-2308 This module provides a page where you can see each content types you've selected under terms from vocabularies you've selected. This module does not properly filter user supplied text resulting in a Cross Site scripting bug. This vulnerability is mitigated by the fact that an...

3.5CVSS6AI score0.00946EPSS
Exploits0References8
Drupal
Drupal
added 2012/05/02 12:0 a.m.18 views

SA-CONTRIB-2012-072 - cctags - Cross Site Scripting (XSS)

CVE: CVE-2012-2310 This module enables you to create "tag clouds" with taxonomy terms displayed in different sizes depending on how frequently they are used on a site. The module doesn't sufficiently filter user supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability...

3.5CVSS5.7AI score0.01046EPSS
Exploits0References11
Drupal
Drupal
added 2012/05/02 12:0 a.m.33 views

SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported

This module contains a simple addressbook. The module has multiple issues including SQL Injection and Cross Site Request Forgery. For the SQL Injection issue - CVE: CVE-2012-2306 For the CSRF issue - CVE: CVE-2012-2307 Versions affected 6.x-4.2 and before Drupal core is not affected. If you do no...

7.5CVSS7.5AI score0.0121EPSS
Exploits0References7
Drupal
Drupal
added 2012/05/02 12:0 a.m.16 views

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

CVE: CVE-2012-2305 Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system. This module does not protect a CSRF attack when creating node galleries. Versions affected 6.x-3.1 and before Drupal core is not affected. If you d...

6.8CVSS6.5AI score0.00636EPSS
Exploits0References8
Drupal
Drupal
added 2012/04/25 12:0 a.m.22 views

SA-CONTRIB-2012-067 - Linkit - Access bypass

CVE: CVE-2012-2304 Linkitprovides an easy interface for internal and external linking. Linkit links to nodes, users, managed files, terms and have basic support for all entities by default, using an autocomplete field. When searching for entities, no access restrictions were added and users may s...

4.3CVSS6.3AI score0.02097EPSS
Exploits0References10
Drupal
Drupal
added 2012/04/25 12:0 a.m.29 views

SA-CONTRIB-2012-064 - Ubercart - Multiple vulnerabilities

The Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal. Parts of Ubercart were vulnerable to a Failure to encrypt data, Cross Site Scripting, and an Arbitrary PHP Execution vulnerability. Failure to encrypt data: Exploitable from local CVE: CVE-2012-2299...

6CVSS5.7AI score0.01284EPSS
Exploits2References13
Drupal
Drupal
added 2012/04/25 12:0 a.m.25 views

SA-CONTRIB-2012-063 - RealName - Cross Site Scripting (XSS)

CVE: CVE-2012-2298 This module allows you to set a pattern for constructing "Real names" for users out of profile fields. The module does not sufficiently escape users' real names under certain circumstances which could lead to a Cross-Site Scripting XSS attack. Versions affected RealName 6.x-1.x...

4.3CVSS5.5AI score0.02443EPSS
Exploits1References11
Drupal
Drupal
added 2012/04/25 12:0 a.m.18 views

SA-CONTRIB-2012-062 - Creative Commons - Cross Site Scripting (XSS)

CVE: CVE-2012-2297 The Creative Commons module allows users to select and assign a Creative Commons license to a node and any attached content, or to the entire site. The module did not sufficiently filter the text describing licenses. This vulnerability is mitigated by the fact that an attacker...

2.1CVSS6.3AI score0.01089EPSS
Exploits0References11
Drupal
Drupal
added 2012/04/25 12:0 a.m.21 views

SA-CONTRIB-2012-066 - Spaces and Spaces OG - Access Bypass

CVE: CVE-2012-2303 Spaces is an API module intended to make configuration options generally avaliable only at the sitewide level to be configurable and overridden by individual "spaces" on a Drupal site. The spaces and spacesog modules part of the spaces package in some cases do not apply the...

7.5CVSS6.2AI score0.0196EPSS
Exploits1References12
Drupal
Drupal
added 2012/04/25 12:0 a.m.21 views

SA-CONTRIB-2012-065 - Sitedoc - Information disclosure

CVE: CVE-2012-2302 This module enables you to display a plethora of information about your site's structure. Optionally, the information may be saved into a file for later comparison. The module doesn't sufficiently verify that the saved file is protected by the Private File System. This...

5CVSS6AI score0.01663EPSS
Exploits1References10
Drupal
Drupal
added 2012/04/18 12:0 a.m.18 views

SA-CONTRIB-2012-061 - Gigya - Social optimization - Cross Site Scripting (XSS)

CVE: CVE-2012-2117 The Gigya - Social optimization module provides a single API that aggregates authentication and social APIs from Facebook Connect, MySpace ID, Twitter, and OpenID webmail providers including Google, Yahoo, and AOL. The module doesn't sufficiently escape URL elements which are...

4.3CVSS6.7AI score0.01284EPSS
Exploits0References10
Drupal
Drupal
added 2012/04/18 12:0 a.m.23 views

SA-CONTRIB-2012-060 - Commerce Reorder - Cross Site Request Forgery

CVE: CVE-2012-2116 The Commerce Reorder module enables you to reorder previously purchased products for Drupal Commerce. The module does not sufficiently protect the re-order URL against Cross Site Request Forgery CSRF, allowing a malicious user to trick someone into adding unwanted items to thei...

6.8CVSS6.4AI score0.00984EPSS
Exploits0References10
Drupal
Drupal
added 2012/04/11 12:0 a.m.15 views

SA-CONTRIB-2012-059 - Autosave - Cross Site Request Forgery

CVE: CVE-2012-2097 This module enables snapshots of your node edit form to be saved in the background while you are editing to help prevent the data from being lost. The module doesn't sufficiently protect against a user being tricked into submitting saved results to a node. Versions affected...

6.8CVSS6.3AI score0.00933EPSS
Exploits1References11
Drupal
Drupal
added 2012/04/11 12:0 a.m.27 views

SA-CONTRIB-2012-058 - Fivestar - Input Validation

CVE: CVE-2012-2096 The Fivestar module enables you to add a voting widget to nodes and comments. The module does not sufficiently validate all votes passed by the asynchronous voting widget allowing a malicious user to improperly modify voting averages. Versions affected Fivestar 6.x-1.x versions...

5CVSS6.4AI score0.0184EPSS
Exploits1References11
Drupal
Drupal
added 2012/04/04 12:0 a.m.24 views

SA-CONTRIB-2012-056 - Janrain Engage - Sensitive Data Protection Vulnerability

CVE: CVE-2012-2296 Using Janrain Engage, Drupal sites can authenticate new and existing users with popular social networks, map user profile data from these websites to Drupal fields, and share Drupal content with a user's friends on their social networks. The module permanently retains the...

5CVSS5.8AI score0.01563EPSS
Exploits0References10
Drupal
Drupal
added 2012/04/04 12:0 a.m.19 views

SA-CONTRIB-2012-057 - Printer, email and PDF versions - Cross Site Scripting (XSS)

CVE: CVE-2012-2084 This module provides printer-friendly versions of content, including send by e-mail and PDF versions. The module doesn't sufficiently escape URL elements which are printed back to the user. Versions affected Printer, email and PDF versions 6.x-1.x versions prior to 6.x-1.15...

4.3CVSS6.5AI score0.02325EPSS
Exploits0References14
Drupal
Drupal
added 2012/03/28 12:0 a.m.21 views

SA-CONTRIB-2012-052 - Node Limit Number - Cross Site Request Forgery (CSRF)

CVE: CVE-2012-2080 The Node Limit Number module enables an administrator to place limits on how many nodes may be created by each user. Node Limit Number does not protect the delete URL against Cross Site Request Forgery attacks, allowing a malicious user to trick someone with "administer node...

6.8CVSS6.4AI score0.01202EPSS
Exploits1References11
Drupal
Drupal
added 2012/03/28 12:0 a.m.26 views

SA-CONTRIB-2012-049 - ShareThis - Multiple Vulnerablies

The XSS issue is CVE: CVE-2012-2076 The CSRF issue is CVE: CVE-2012-2077 The ShareThis module allows you to display social networking tools to users. The administration forms of the module do not properly use the Form API allowing a malicious user to inject unexpected settings, allowing for...

5.1CVSS5.2AI score0.01607EPSS
Exploits0References11
Drupal
Drupal
added 2012/03/28 12:0 a.m.27 views

SA-CONTRIB-2012-047 - Ubercart Views - Information disclosure

CVE: CVE-2012-2074 Ubercart Views provides Views integration for the Ubercart shopping cart module, and includes default views that contain a critical information disclosure bug. In some versions, these views are disabled by default, but still disclose information if you enable them. Versions...

5CVSS6.1AI score0.01563EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/28 12:0 a.m.25 views

SA-CONTRIB-2012-051 - Activity - Multiple Vulnerablities

The XSS issue is: CVE: CVE-2012-2078 The CSRF issue is: CVE: CVE-2012-2079 The Activity module keeps track of the things people do on your site and provides mini-feeds of these activities in blocks, in a specialized table, and via RSS. The module is extensible so that any other module can integra...

8.8CVSS6.2AI score0.00528EPSS
Exploits0References11
Drupal
Drupal
added 2012/03/28 12:0 a.m.20 views

SA-CONTRIB-2012-046 - Bundle Copy - Arbitrary Code execution

CVE: CVE-2012-2073 Bundle copy is a replacement for the Content copy module which lives in the CCK project for Drupal 6. Besides the ability to import and export content types, taxonomy and user entities are also supported. Field groups can be exported easily as well. The module doesn't...

6CVSS7.2AI score0.01821EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/28 12:0 a.m.24 views

SA-CONTRIB-2012-054 - Chaos tool suite - Cross Site Scripting (XSS)

CVE: CVE-2012-2082 This suite is primarily a set of APIs and tools to improve the developer experience. It also contains a module called the Page Manager whose job is to manage pages. In particular it manages panel pages, but as it grows it will be able to manage far more than just Panels. The...

2.1CVSS6.2AI score0.01607EPSS
Exploits0References11
Drupal
Drupal
added 2012/03/28 12:0 a.m.22 views

SA-CONTRIB-2012-055 - Fusion theme - Cross Site Scripting (XSS)

CVE: CVE-2012-2083 Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components. The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting XSS attack. This...

4.3CVSS5.7AI score0.01325EPSS
Exploits0References18
Drupal
Drupal
added 2012/03/28 12:0 a.m.15 views

SA-CONTRIB-2012-045 - AddToAny - Cross Site Scripting

CVE: CVE-2012-2072 This module enables you to add Lockerz/AddToAny's universal sharing buttons to your site. Previously, the module did not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fac...

2.1CVSS5.6AI score0.01064EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/28 12:0 a.m.16 views

SA-CONTRIB-2012-050 - CDN2 Video - Unsupported

CDN2 is a plug and play module and video management service for Drupal. The module does not sanitize output correctly, allowing for a cross-site scripting XSS vulnerability. Additionally, the Form API is not correctly utilized allowing for cross-site request forgery CSRF attempts. This module...

6.8CVSS5.6AI score0.01284EPSS
Exploits0References7
Drupal
Drupal
added 2012/03/28 12:0 a.m.23 views

SA-CONTRIB-2012-044 - Contact Forms - Cross Site Scripting

CVE: CVE-2012-2071 This module expands the features of the site wide contact form. It eliminates the drop down category menu by generating a clean looking contact form with a unique path, for each of the contact form categories. The module doesn't sufficiently filter user text of the page title a...

2.1CVSS5.4AI score0.01064EPSS
Exploits0References10
Drupal
Drupal
added 2012/03/28 12:0 a.m.23 views

SA-CONTRIB-2012-053 - Organic Groups - Access Bypass

CVE: CVE-2012-2081 Organic groups OG enables users to create and manage their own 'groups'. Each group can have subscribers, and maintains a group home page where subscribers communicate amongst themselves. The module's Views integration does not filter out information from display groups to whic...

5CVSS6.1AI score0.01563EPSS
Exploits0References11
Total number of security vulnerabilities1940