1940 matches found
SA-CONTRIB-2012-043 - MultiBlock - Cross Site Scripting
CVE: CVE-2012-2070 The MultiBlock module allows an administrator to create multiple instances of blocks provided by other modules. The module does not properly sanitize the block title provided by a block administrator, leading to a cross-site scripting XSS vulnerability. Such an attack may lead ...
SA-CONTRIB-2012-048 - Contact Save - Cross Site Scripting
CVE: CVE-2012-2075 This module stores in the database all messages submitted through the core contact forms, and provides a way to respond to these messages through the website. The module doesn't sufficiently filter user supplied text, leading to a cross-site scripting XSS vulnerability. This...
SA-CONTRIB-2012-042 - Wishlist Cross Site Scripting (XSS)
CVE: CVE-2012-2069 The Wishlist Module allows users to maintain shared wishlists for special events and holidays. Impact: The module doesn't sufficiently filter user supplied text from the URL. This can be used to perform a reflected cross site scripting XSS attack. User account credentials could...
SA-CONTRIB-2012-039 - Language Icons - Cross Site Scripting (XSS)
CVE: CVE-2012-2065 The Language icons module adds icons to language links generated by the Locale and Content Translation modules in core. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...
SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution
CKEditor and its predecessor FCKeditor allow Drupal to replace textarea fields with the FCKEditor - a visual HTML WYSIWYG editor. The modules have an AJAX callback that filters text to prevent Cross site scripting attacks on content edits. This AJAX callback function contains a number of bugs whi...
SA-CONTRIB-2012-036 - Multiple Modules Unsupported
CVE: CVE-2012-2056 Content Lock Is a module that prevents users from concurrent editing of nodes. This module does not use a token for unlocking a content lock. This leads to a CSRF attack vector. CVE: CVE-2012-2057 Ubercart Bulk Stock Updater is an extension module for Ubercart 2.x running on...
SA-CONTRIB-2012-038 - Views Language Switcher Cross Site Scripting (XSS)
CVE: CVE-2012-2064 The Views Language Switcher module enables you to provide natively-formatted links that act as Views exposed filters for i18n content being displayed by Views. The module doesn't sufficiently filter the path output when a user manually modifies the path and makes a new request...
SA-CONTRIB-2012-037 - Slidebox - access bypass
CVE: CVE-2012-2063 The Slidebox module allows webmasters do display a link to the next node in a jQuery box that slides in from the right side of the page after a user scrolls past a certain point. While the module checks for "published" status, the module does not contain sufficient usage of...
SA-CONTRIB-2012-041 - Fancy Slide - Cross Site Scripting (XSS)
CVE: CVE-2012-2068 This module enables you to create slideshow blocks to embed into templates. The module doesn't sufficiently filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fancyslide". Versions affected...
SA-CONTRIB-2012-033 - Read More Link - Cross Site Scripting
CVE: CVE-2012-1658 The Read More Link module allows you to move the "Read more" link from the node's links area to the end of the teaser text. A user could inject java script into pages affecting other site users. This vulnerability is mitigated by the fact that an attacker must have a role with...
SA-CONTRIB-2012-032 - Block Class - Cross Site scripting
CVE: CVE-2012-1657 The block class module allows users to add classes to any block through the block's configuration interface The class names in a block were not properly filtered. Someone with the ability to modify or create blocks could inject java script that would be rendered when viewing th...
SA-CONTRIB-2012-035 - Webform Cross Site Scripting (XSS)
CVE: CVE-2012-1660 The Webform module allows content creators to assemble a survey for end-users. The module doesn't sufficiently filter user supplied text when displaying radio buttons or checkboxes when used in combination with the Select or Other... module. This vulnerability is mitigated by t...
SA-CONTRIB-2012-034 - Node Recommendation Cross Site Scripting (XSS)
CVE: CVE-2012-1659 This module shows users other nodes that they might be interested in based on a simple logic and using taxonomy. The aim of this module is to provide sensible defaults and an easy configuration for less-technical users and to allow it to be manually overriden. The module doesn'...
SA-CONTRIB-2012-031 - Multiple Modules Unsupported - UC PayDutchGroup - Information leakage and Multisite Search sql injection
CVE: CVE-2012-1655 UC PayDutchGroup / WeDeal payment integrates the PayDutchGroup / WeDeal payment gateway with Ubercart. The module exposes account credentials for the store's PayDutchGroup account under certain circumstances allowing a malicious user to login to the PayDutchGroup site as the...
SA-CONTRIB-2012-030 - Data - Cross Site Scripting (XSS)
CVE: CVE-2012-1654 This module enables you to create arbitrary tables in your Drupal database and manage the data in them, and also manage data in existing tables such as those created by or imported from a third-party application. The module doesn't sufficiently escape the human-readable title...
SA-CONTRIB-2012-028 - Hierarchical Select - Cross Site Scripting (XSS)
CVE: CVE-2012-1652 The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS...
SA-CONTRIB-2012-029 - Taxonomy Views Integrator - Cross Site Scripting (XSS)
CVE: CVE-2012-1653 The Taxonomy Views Integrator allows selective overriding of taxonomy terms and/or vocabulary with the view of your choice. Using TVI you can easily create custom views to output all terms in X vocabulary. The module doesn't sufficiently filter user supplied text on views pages...
SA-CONTRIB-2012-026 - ZipCart - Access bypass
CVE: CVE-2012-1650 ZipCart enables a site to provide users with Zip archives for downloads selected by the user. Versions of ZipCart prior to 6.x-1.4 checks an incorrect permission when building archives. This vulnerability is mitigated by the fact that archive file addition is only permitted if...
SA-CONTRIB-2012-025 - Cool aid; Editable help messages - Multiple vulnerabilities
Cool aid is a Drupal module that allows users to add custom help messages to Drupal pages. The module did not properly clean user input before displaying it, and did not properly check for access permissions, allowing users with "administer coolaid" to inject scripts anywhere on a site. The XSS...
SA-CONTRIB-2012-024 - MediaFront - Cross Site Scripting
CVE: CVE-2012-1647 Within the MediaFront module, there is a PHP library for handling the stand alone application of the Open Standard Media player. Within this library, both the $SESSION and $SERVER variables are handled without proper checks to make sure that no malicious code is injected within...
SA-CONTRIB-2012-027 - Submenu Tree -Cross Site Scripting
CVE: CVE-2012-1651 The Submenu Tree module allows sufficiently privileged users to show a list of menu entries when displaying a node. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. The vulnerability is...
SA-CONTRIB-2012-023 - FAQ - Cross Site Scripting
CVE: CVE-2012-1646 The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before...
SA-CONTRIB-2012-020 - Faster Permissions - Access bypass
CVE: CVE-2012-1643 This module enables you to configure the permissions of a specific module on a separate page. This is especially handy for sites with a large list of permissions. The module doesn't sufficiently check for the required permissions when the provided permission administration is...
SA-CONTRIB-2012-019 - Link checker - Access bypass
CVE: CVE-2012-1642 The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed. The module does not correctly check permission to access the site's content before displaying broken links that were found within...
SA-CONTRIB-2012-022 - CDN - Information disclosure
CVE: CVE-2012-1645 The CDN module provides easy Content Delivery Network integration for Drupal sites. It alters file URLs, so that files are downloaded from a CDN instead of your web server. When running in Origin Pull mode together with the "Far Future expiration" option, the module contains a...
SA-CONTRIB-2012-021 - Organic Groups Vocab Access Bypass
CVE: CVE-2012-1644 This module enables you to have a specific vocabulary per organic group. The module doesn't sufficiently check access to vocabularies while allowing a group admin to edit the vocabularies. This vulnerability is mitigated by the fact that an attacker must have a role with the...
SA-CONTRIB-2012-018 - Revisioning - Cross Site Scripting
CVE: CVE-2012-1060 The Drupal Revisioning module https://drupal.org/project/revisioning "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting XSS vulnerability due to the fact that it...
SA-CONTRIB-2012-017 - Finder - Multiple vulnerabilities
CVE: CVE-2012-1641 Finder is a Drupal module that allows users to create faceted search forms. The module's autocomplete, checkbox, and radio button functionalities previously did not sanitize the output of fields and raw database values. In addition, users with the "administer finder" permission...
SA-CONTRIB-2012-016 - Forward module CSRF and Access bypass
The Forward module enables you to add a "forward this page" link to each node. The link takes regular site visitors to a form where they can generate an email to a friend. The module exhibits multiple vulnerabilities as described below. The module includes "Recent forwards" and "Most forwarded"...
SA-CORE-2012-001 - Drupal core multiple vulnerabilities
Cross Site Request Forgery vulnerability in Aggregator module CVE: CVE-2012-0826 An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited e.g. Twitter limits requests to 150 per hour this could lead to a denial of service. This issue affects Drupal 6.x an...
SA-CONTRIB-2012-013 - Search Autocomplete - SQL Injection
CVE: CVE-2012-1638 The Search Autocomplete module allows you to add autocomplete functionality to the search fields of a Drupal site. Search Autocomplete does not properly use Drupal's database API, making it possible for a malicious user to carryout SQL injection on the site. This vulnerability ...
SA-CONTRIB-2012-014 - Drupal Commerce - Cross Site Scripting (XSS)
CVE: CVE-2012-1639 Drupal Commerce is a flexible eCommerce framework built on Drupal 7 that lets you construct any type of eCommerce website. Part of its flexibility lies in its ability to render product fields into node displays through the product reference field used to build dynamic Add to Ca...
SA-CONTRIB-2012-015 - Managesite - Cross Site Scripting (XSS)
CVE: CVE-2012-1640 This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone /admin. The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have...
SA-CONTRIB-2012-011 - Panels - Cross Site Scripting (XSS)
CVE: CVE-2012-0914 The Panels module allows a site administrator to create customized layouts for multiple uses. The module doesn't sufficiently sanitize administrator supplied data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer pane...
SA-CONTRIB-2012-012 - Quicktabs - Cross Site Scripting (XSS)
CVE: CVE-2012-1637 The Quick Tabs module allows users to create blocks of tabbed content, specifying a title for the block and the individual tabs. Quick Tabs does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability. This vulnerability is mitigate...
SA-CONTRIB-2012-009 - Revisioning - Access bypass
CVE: CVE-2012-1635 This module enables you to create moderation publication workflows, allowing authors to create content that isn't visible to the public until it has been approved by a moderator/publisher. The module's implementation of hooknodeaccess assumes that access is to granted/denied...
SA-CONTRIB-2012-010 - stickynote - Multiple vulnerabilities
CVE: CVE-2012-1636 This module enables you to add textual notes in a block to perform quality assurance of your site. Previously it did not sufficiently protect against Cross Site Scripting XSS or Cross Site Request Forgery CSRF. This vulnerability is mitigated by the fact that an attacker must...
SA-CONTRIB-2013-004 - Live CSS - Arbitrary Code Execution
This module enables you to save CSS and LESS files on the server via your browser. The module doesn't check that the file being saved isn't a script or executable. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer CSS". CVE identifiers...
SA-CONTRIB-2012-006 XSS and CSRF in Multiple Modules - Supercron, Taxotouch, Admin:hover, Taxonomy Navigator no longer supported
CVE: CVE-2012-1628 SuperCron is a complete replacement for Drupal's built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with "access administration pages" permission. CVE: CVE-2012-1629 Taxotouch...
SA-CONTRIB-2012-005 - Vote up/down - Cross Site Scripting
CVE: CVE-2012-1627 This module enables you to add voting widgets to nodes, terms and comments. The vudterm sub-module doesn't sufficiently sanitize taxonomy terms before display. In order to execute arbitrary script injection malicious users must have the ability to create or edit taxonomy terms...
SA-CONTRIB-2012-004 - Date - SQL injection
CVE: CVE-2012-1626 This module enables you to add and administer date fields to nodes. It includes Date Tools, that allows users to convert nodes created with the Event module into Date fields. The conversion form for Events is vulnerable to SQL injection. This vulnerability is mitigated by the...
SA-CONTRIB-2012-008 - Video Filter - Cross Site Scripting
CVE: CVE-2012-1634 The Video Filter module lets you display videos from various third party sources. When videos from Blip.tv are shown, the module fails to sanitize source data before display. This vulnerability is mitigated by the fact that the attacker has to be able to either control the sour...
SA-CONTRIB-2012-007 - Password Policy - Multiple vulnerabilities
This module enables you to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a policy. Cross Site Request Forgery CSRF CVE: CVE-2012-1633 Unblocking a user does not require sufficient confirmation by administrative users and can be...
SA-CONTRIB-2012-003 - Fill PDF - Multiple vulnerabilities
CVE: CVE-2012-1625 This module enables you to populate fillable PDF templates with data from nodes and webforms. Access bypass 7.x only Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger any PDF to...
SA-CONTRIB-2012-001 - Registration Codes - Access bypass
CVE: CVE-2012-1623 The Registration Codes module enables site administrators to restrict registration for new accounts to only users who provide a valid registration code. The default module installation provides no access check for the registration code list, leading to a vulnerability that allo...
SA-CONTRIB-2012-002 - Lingotek - Cross Site Scripting
CVE: CVE-2012-1624 This module enables you to translate a website's content using tools provided by the Lingotek Collaborative Translation Network. The module doesn't sufficiently sanitize user input when creating or editing page content. This allows a malicious content editor to potentially inpu...
SA-CONTRIB-2011-059 - Meta tags quick - Cross Site Scripting (XSS)
The Meta tags quick module provides a simple tool to add meta tags to a site. The module doesn't consistently filter user input which could lead to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...
SA-CONTRIB-2011-057 - Support Ticketing System - Cross Site Scripting (XSS)
The Support Ticketing System module provides a basic ticketing system and helpdesk that is native to Drupal, offering complete email integration. The module does not properly sanitize user-supplied content, resulting in multiple Cross-Site Scripting XSS vulnerabilities. This vulnerability is...
SA-CONTRIB-2011-058 - Support Timer - Cross Site Scripting (XSS)
The Support Timer module adds a javascript-based timer to the Support Ticketing System for tracking how long users are working on support tickets, as well as administrative reports. The module does not properly sanitize user-supplied content, resulting in multiple Cross-Site Scripting XSS...
SA-CONTRIB-2011-056 - Webform Validation Cross Site Scripting
The Webform Validation module enables you to add form validation rules to Webform components through a UI. The module contains multiple cross site scripting XSS vulnerabilities due to the fact that it fails to sanitize certain user entered text prior to displaying in the browser. This vulnerabili...