Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2025/11/12 12:0 a.m.12 views

Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006

Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data...

5.9CVSS6.5AI score0.00228EPSS
Exploits0References7
Drupal
Drupal
added 2025/11/12 12:0 a.m.11 views

Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008

The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files schemes that may also be handled by the system module. In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This...

3.7CVSS5.5AI score0.00249EPSS
Exploits0References7
Drupal
Drupal
added 2025/11/05 12:0 a.m.10 views

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-115

The Email TFA module provides additional email-based two-factor authentication for Drupal logins. In certain scenarios, the module does not fully protect all login mechanisms as expected. This issue is mitigated by the fact that an attacker must already have valid user credentials username and...

5.4CVSS5.5AI score0.00183EPSS
Exploits0References2
Drupal
Drupal
added 2025/11/05 12:0 a.m.13 views

Simple multi step form - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-116

This module provides the ability to convert any entity form into a simple multi-step form. The module doesn’t sufficiently filter certain user-provided text leading to a cross-site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

3.5CVSS5.3AI score0.00151EPSS
Exploits0References2
Drupal
Drupal
added 2025/10/29 12:0 a.m.13 views

Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...

7.5CVSS5.7AI score0.00343EPSS
Exploits0References2
Drupal
Drupal
added 2025/10/22 12:0 a.m.13 views

CivicTheme Design System - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-113

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. CivicTheme does not sufficiently filter field data before rendering them in Twig templates. This combined with...

6.1CVSS5.5AI score0.00184EPSS
Exploits0References2
Drupal
Drupal
added 2025/10/22 12:0 a.m.13 views

CivicTheme Design System - Moderately critical - Information disclosure - SA-CONTRIB-2025-112

CivicTheme is a design system and theme framework used to build content-rich Drupal websites. It includes editorial workflows, structured content types, and flexible theming components. The theme doesn't sufficiently check access to entities when they are displayed as reference cards used in manu...

7.5CVSS5.5AI score0.0028EPSS
Exploits0References2
Drupal
Drupal
added 2025/09/24 12:0 a.m.15 views

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-108

This module enables users to sign in with an access code instead of entering user names and passwords. When users are allowed to pick their own access codes, they can guess other users' access codes based on the fact that access codes need to be unique and the system warns if the code of their...

6.3CVSS5.6AI score0.00225EPSS
Exploits0References2
Drupal
Drupal
added 2025/09/24 12:0 a.m.12 views

Umami Analytics - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-109

This module enables you to add Umami Analytics web statistics tracking system to your website. The "administer umami analytics" permission allows inserting an arbitrary JavaScript file on every page. While this is an expected feature, the permission lacks the "restrict access" flag, which should...

3.8CVSS5.4AI score0.00184EPSS
Exploits0References3
Drupal
Drupal
added 2025/09/24 12:0 a.m.12 views

Currency - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-110

This module allows you to use different currencies on your website and do currency conversion. The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery CSRF attacks, potentially allowing an attacker to trick an admin into changing settin...

6.5CVSS5.4AI score0.00121EPSS
Exploits0References2
Drupal
Drupal
added 2025/09/24 12:0 a.m.12 views

JSON Field - Critical - Cross Site Scripting - SA-CONTRIB-2025-106

This module enables you to store and display JSON data using optional 3rd party libraries. The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting XSS vulnerability...

6.1CVSS5.4AI score0.00184EPSS
Exploits0References2
Drupal
Drupal
added 2025/09/24 12:0 a.m.10 views

Plausible tracking - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-107

This module integrates Plausible Analytics on a site. The module did not properly filter output in certain cases. This vulnerability is mitigated by the fact that an attacker must have permission to add raw HTML to the website, such as an unfiltered WYSIWYG field on a public-facing comment...

6.1CVSS5.5AI score0.00177EPSS
Exploits0References2
Drupal
Drupal
added 2025/09/24 12:0 a.m.13 views

Reverse Proxy Header - Less critical - Access bypass - SA-CONTRIB-2025-111

This module allows you to specify an HTTP header name to determine the client's IP address. The module doesn't sufficiently handle all cases under the scenario if Drupal Core settings $settings'reverseproxy' is set to TRUE and $settings'reverseproxyaddresses' is configured. This vulnerability...

5.3CVSS5.6AI score0.00276EPSS
Exploits0References2
Drupal
Drupal
added 2025/09/03 12:0 a.m.11 views

Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105

This module enables you to connect a Drupal site to the Acquia DAM service, which syncs media from the third party service to the site. The module doesn't sufficiently validate authorization to a list of DAM assets currently synced to the website creating an access bypass vulnerability. This...

7.5CVSS5.4AI score0.0028EPSS
Exploits0References4
Drupal
Drupal
added 2025/08/27 12:0 a.m.13 views

Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.3CVSS5.4AI score0.00234EPSS
Exploits0References2
Drupal
Drupal
added 2025/08/27 12:0 a.m.12 views

Authenticator Login - Moderately critical - Access bypass - SA-CONTRIB-2025-098

This module allows users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module did not protect all possible login paths provided by core modules. CVSS risk score experimental 6.3 / Medium...

8.8CVSS5.4AI score0.00326EPSS
Exploits0References4
Drupal
Drupal
added 2025/08/27 12:0 a.m.10 views

Owl Carousel 2 - Critical - Unsupported - SA-CONTRIB-2025-104

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.3CVSS5.4AI score0.00234EPSS
Exploits0References2
Drupal
Drupal
added 2025/08/27 12:0 a.m.11 views

Facets - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-100

This module enables you to to easily create and manage faceted search interfaces. The module doesn’t sufficiently filter certain user-provided text leading to a cross site scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permissio...

6.1CVSS5AI score0.00181EPSS
Exploits0References5
Drupal
Drupal
added 2025/08/27 12:0 a.m.10 views

Facets - Moderately critical - Information Disclosure - SA-CONTRIB-2025-099

This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently check access to entities when they are displayed as facets. This vulnerability is mitigated by the fact that only sites that show facets with entity labels like taxonomy terms are...

6.5CVSS5.6AI score0.00189EPSS
Exploits0References5
Drupal
Drupal
added 2025/08/27 12:0 a.m.11 views

Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

This module enables you to protect individual pages with a password. The module doesn't limit the number of password attempts, making it vulnerable to brute force attacks. This vulnerability is mitigated by the fact that an attacker must know the protected page's URL. CVSS risk score experimental...

6.5CVSS5.5AI score0.00351EPSS
Exploits0References4
Drupal
Drupal
added 2025/08/27 12:0 a.m.12 views

API Key manager - Critical - Unsupported - SA-CONTRIB-2025-103

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.3CVSS5.4AI score0.00234EPSS
Exploits0References2
Drupal
Drupal
added 2025/08/13 12:0 a.m.45 views

Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097

The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder. The module doesn't sufficiently control access for adding sections in the submodule. This vulnerability is mitigated by the fact that an attacke...

4.3CVSS6.9AI score0.0022EPSS
Exploits0References2Affected Software1
Drupal
Drupal
added 2025/08/13 12:0 a.m.43 views

Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096

This module enables users to setup two-factor authentication 2FA using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow. The module doesn't sufficiently validate authentication under specific...

9.8CVSS7.1AI score0.00492EPSS
Exploits0References2
Drupal
Drupal
added 2025/08/06 12:0 a.m.17 views

AI SEO Link Advisor - Less critical - Server-side Request Forgery - SA-CONTRIB-2025-095

This module enables you to provide SEO analysis and recommendations for a given URL. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

8.8CVSS7.1AI score0.00235EPSS
Exploits0References2
Drupal
Drupal
added 2025/07/30 12:0 a.m.17 views

GoogleTag Manager - Moderately critical - Cross-site scripting - SA-CONTRIB-2025-094

This module enables you to integrate Google Tag Manager GTM into your Drupal site by allowing administrators to configure and embed GTM container snippets. The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters...

6.1CVSS6.8AI score0.00217EPSS
Exploits0References1
Drupal
Drupal
added 2025/07/30 12:0 a.m.18 views

Config Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-093

This module enables you to access an edit page for a config page. The module doesn't sufficiently check the access permissions hookENTITYTYPEaccess wasn't taken into account. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" an...

7.6CVSS7AI score0.00253EPSS
Exploits0References1
Drupal
Drupal
added 2025/07/23 12:0 a.m.31 views

COOKiES Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-092

This module allows you to manage video media items using the COOKiES module disabling external video elements. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might...

7.6CVSS6.8AI score0.00274EPSS
Exploits0References2
Drupal
Drupal
added 2025/07/16 12:0 a.m.23 views

File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089

The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views. The File Download module...

7.5CVSS7AI score0.0035EPSS
Exploits0References3
Drupal
Drupal
added 2025/07/16 12:0 a.m.17 views

Real-time SEO for Drupal - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-091

This module enables you to analyze the content that you're authoring for a website. It shows you a preview of what a search result might look like. The module doesn't sufficiently escape the metadata from content while rendering the preview, opening up the possibility of a XSS attack. This...

6.1CVSS6.1AI score0.00227EPSS
Exploits0References2
Drupal
Drupal
added 2025/07/16 12:0 a.m.24 views

Block Attributes - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-090

This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format. The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover,...

6.1CVSS6.1AI score0.00223EPSS
Exploits0References3
Drupal
Drupal
added 2025/07/09 12:0 a.m.22 views

Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088

This module enables users to login by email address with the minimal configurations. The module included some protection against brute force attacks on the login form, however they were incomplete. An attacker could bypass the brute force protection allowing them to potentially gain access to an...

9.8CVSS6.9AI score0.00464EPSS
Exploits0References3
Drupal
Drupal
added 2025/07/09 12:0 a.m.24 views

Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087

This module provides a format filter, which allows you to "disable" iframes e.g. remove their src attribute specified by the user. These elements will be enabled again, once the Cookies banner is accepted. The module doesn't sufficiently filter user-supplied content when their value might contain...

6.1CVSS5.8AI score0.00227EPSS
Exploits0References1
Drupal
Drupal
added 2025/07/02 12:0 a.m.24 views

Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086

This module enables you to use configpages as a content entity. The module doesn't check permission or entity access before rendering configpages content...

5.3CVSS6.3AI score0.00265EPSS
Exploits0References2
Drupal
Drupal
added 2025/07/02 12:0 a.m.9 views

Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085

This module enables you to allow and/or require a second authentication method in addition to password authentication. The module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users. This vulnerability is mitigated by the fact...

6.5CVSS5.7AI score0.00364EPSS
Exploits0References2
Drupal
Drupal
added 2025/06/25 12:0 a.m.10 views

GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078

GLightbox module is a pure Javascript lightbox for CKEditor. The module doesn't sufficiently filter user-supplied text for the GLightbox Javascript library leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the...

6.1CVSS5.5AI score0.00183EPSS
Exploits0References2
Drupal
Drupal
added 2025/06/25 12:0 a.m.25 views

Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079

Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events. The module doesn't sufficiently protect certain routes from Cross Site Request Forgery CSRF attacks. Users can be tricked into accepting or rejecting these...

8.8CVSS6.5AI score0.00161EPSS
Exploits0References3
Drupal
Drupal
added 2025/06/25 12:0 a.m.24 views

Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077

This module enables you to generate Table of content of your pages given a configuration. The module doesn't sufficiently sanitise data attributes allowing persistent Cross-site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to...

6.1CVSS5.4AI score0.00186EPSS
Exploits0References2
Drupal
Drupal
added 2025/06/25 12:0 a.m.9 views

CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081

The CKEditor5 Youtube module enhances content creation in Drupal by seamlessly integrating YouTube video embedding into the CKEditor 5 text editor. The module doesn't sufficiently validate iframe sources under the scenario where a user embeds a video using the CKEditor YouTube integration leading...

6.1CVSS5.6AI score0.00186EPSS
Exploits0References1
Drupal
Drupal
added 2025/06/25 12:0 a.m.22 views

Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize some HTML attributes allowing persistent Cross-site Scripting XSS attacks. This...

4.3CVSS5.5AI score0.00216EPSS
Exploits0References1
Drupal
Drupal
added 2025/06/25 12:0 a.m.13 views

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082

The module enables you to add second-factor authentication on top of the default Drupal login. The module does not sufficiently ensure that known authorization routes are protected. This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password...

4.8CVSS5.6AI score0.00204EPSS
Exploits0References3
Drupal
Drupal
added 2025/06/25 12:0 a.m.25 views

Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083

Simple XML sitemap is a SEO module that allows creating various XML sitemaps of the site's content and submitting them to search engines. The module doesn't sufficiently sanitize input when administering it, which leads to a Cross-site scripting XSS attack vector. This vulnerability is mitigated ...

5.4CVSS5.6AI score0.00186EPSS
Exploits0References3
Drupal
Drupal
added 2025/06/25 12:0 a.m.21 views

Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084

Project Paragraphs table provides a field for a collection table. The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing...

5.4CVSS5.4AI score0.00186EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/28 12:0 a.m.12 views

Bookable Calendar - Less critical - Access bypass - SA-CONTRIB-2025-070

This module enables you to setup a repeating date rule that users can "book" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons. This module has a permission of "view booking" and "view booking contact" which allows you to...

6.5CVSS6.6AI score0.00195EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/28 12:0 a.m.19 views

Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-071

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for the permission to be...

8.8CVSS5.9AI score0.00225EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/28 12:0 a.m.29 views

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-076

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent. Each sub-module allows to include a specific third party service in the consent management, by controlling the execution of javascript. However, thi...

8.6CVSS6.7AI score0.00278EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/28 12:0 a.m.17 views

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-075

This module provides a format filter, which allows you to "disable" certain HTML elements e.g. remove their src attribute specified by the user. These elements will be enabled again, once the COOKiES banner is accepted. The module doesn't sufficiently check whether to convert "data-src" attribute...

8.6CVSS6.3AI score0.00278EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/28 12:0 a.m.19 views

EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072

This module addresses the General Data Protection Regulation GDPR and the EU Directive on Privacy and Electronic Communications. The module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page. As a result, an attacker could injec...

5CVSS7AI score0.00187EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/28 12:0 a.m.21 views

Simple Klaro - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-073

The "Simple Klaro" module adds the "Klaro! A Simple Consent Manager" to your website and allows you to configure it according to your needs in the Drupal backend. The module doesn't sufficiently sanitise data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability is...

5CVSS5.7AI score0.00187EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/28 12:0 a.m.21 views

etracker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-074

The module adds the etracker web statistics tracking system to your website. The cookiesetracker submodule allows the inline JavaScript to be included in consent management. However, this does not adequately check whether the provided JavaScript code originates from authorized users. A potential...

7.3CVSS6.6AI score0.00234EPSS
Exploits0References2
Drupal
Drupal
added 2025/05/21 12:0 a.m.28 views

Lightgallery - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-069

This module integrates Drupal with LightGallery, enabling the use of the LightGallery library with any image field or view. The module does not adequately sanitize user input in the image field’s "alt" attribute, potentially allowing cross-site scripting XSS attacks when tags or scripts are...

7.1CVSS5.7AI score0.00278EPSS
Exploits0References2
Total number of security vulnerabilities1940