Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
•added 2012/03/28 12:0 a.m.•17 views

SA-CONTRIB-2012-043 - MultiBlock - Cross Site Scripting

CVE: CVE-2012-2070 The MultiBlock module allows an administrator to create multiple instances of blocks provided by other modules. The module does not properly sanitize the block title provided by a block administrator, leading to a cross-site scripting XSS vulnerability. Such an attack may lead ...

2.1CVSS5.6AI score0.01318EPSS
Exploits1References12
Drupal
Drupal
•added 2012/03/28 12:0 a.m.•19 views

SA-CONTRIB-2012-048 - Contact Save - Cross Site Scripting

CVE: CVE-2012-2075 This module stores in the database all messages submitted through the core contact forms, and provides a way to respond to these messages through the website. The module doesn't sufficiently filter user supplied text, leading to a cross-site scripting XSS vulnerability. This...

2.1CVSS5.6AI score0.01659EPSS
Exploits1References9
Drupal
Drupal
•added 2012/03/21 12:0 a.m.•19 views

SA-CONTRIB-2012-042 - Wishlist Cross Site Scripting (XSS)

CVE: CVE-2012-2069 The Wishlist Module allows users to maintain shared wishlists for special events and holidays. Impact: The module doesn't sufficiently filter user supplied text from the URL. This can be used to perform a reflected cross site scripting XSS attack. User account credentials could...

6.8CVSS5.5AI score0.00917EPSS
Exploits1References11
Drupal
Drupal
•added 2012/03/14 12:0 a.m.•17 views

SA-CONTRIB-2012-039 - Language Icons - Cross Site Scripting (XSS)

CVE: CVE-2012-2065 The Language icons module adds icons to language links generated by the Locale and Content Translation modules in core. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. This vulnerability is...

3.5CVSS5.6AI score0.01822EPSS
Exploits0References12
Drupal
Drupal
•added 2012/03/14 12:0 a.m.•26 views

SA-CONTRIB-2012-040 - CKEditor and FCKeditor - multiple XSS, arbitrary code execution

CKEditor and its predecessor FCKeditor allow Drupal to replace textarea fields with the FCKEditor - a visual HTML WYSIWYG editor. The modules have an AJAX callback that filters text to prevent Cross site scripting attacks on content edits. This AJAX callback function contains a number of bugs whi...

6.8CVSS5.9AI score0.0153EPSS
Exploits0References9
Drupal
Drupal
•added 2012/03/14 12:0 a.m.•27 views

SA-CONTRIB-2012-036 - Multiple Modules Unsupported

CVE: CVE-2012-2056 Content Lock Is a module that prevents users from concurrent editing of nodes. This module does not use a token for unlocking a content lock. This leads to a CSRF attack vector. CVE: CVE-2012-2057 Ubercart Bulk Stock Updater is an extension module for Ubercart 2.x running on...

6.8CVSS6.2AI score0.01759EPSS
Exploits0References18
Drupal
Drupal
•added 2012/03/14 12:0 a.m.•22 views

SA-CONTRIB-2012-038 - Views Language Switcher Cross Site Scripting (XSS)

CVE: CVE-2012-2064 The Views Language Switcher module enables you to provide natively-formatted links that act as Views exposed filters for i18n content being displayed by Views. The module doesn't sufficiently filter the path output when a user manually modifies the path and makes a new request...

4.3CVSS6.4AI score0.01951EPSS
Exploits0References9
Drupal
Drupal
•added 2012/03/14 12:0 a.m.•17 views

SA-CONTRIB-2012-037 - Slidebox - access bypass

CVE: CVE-2012-2063 The Slidebox module allows webmasters do display a link to the next node in a jQuery box that slides in from the right side of the page after a user scrolls past a certain point. While the module checks for "published" status, the module does not contain sufficient usage of...

5CVSS6.5AI score0.02329EPSS
Exploits0References11
Drupal
Drupal
•added 2012/03/14 12:0 a.m.•17 views

SA-CONTRIB-2012-041 - Fancy Slide - Cross Site Scripting (XSS)

CVE: CVE-2012-2068 This module enables you to create slideshow blocks to embed into templates. The module doesn't sufficiently filter user supplied text. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer fancyslide". Versions affected...

2.1CVSS6.3AI score0.01607EPSS
Exploits0References10
Drupal
Drupal
•added 2012/03/07 12:0 a.m.•20 views

SA-CONTRIB-2012-033 - Read More Link - Cross Site Scripting

CVE: CVE-2012-1658 The Read More Link module allows you to move the "Read more" link from the node's links area to the end of the teaser text. A user could inject java script into pages affecting other site users. This vulnerability is mitigated by the fact that an attacker must have a role with...

2.1CVSS6.2AI score0.01064EPSS
Exploits0References12
Drupal
Drupal
•added 2012/03/07 12:0 a.m.•18 views

SA-CONTRIB-2012-032 - Block Class - Cross Site scripting

CVE: CVE-2012-1657 The block class module allows users to add classes to any block through the block's configuration interface The class names in a block were not properly filtered. Someone with the ability to modify or create blocks could inject java script that would be rendered when viewing th...

2.1CVSS6.3AI score0.01607EPSS
Exploits0References10
Drupal
Drupal
•added 2012/03/07 12:0 a.m.•17 views

SA-CONTRIB-2012-035 - Webform Cross Site Scripting (XSS)

CVE: CVE-2012-1660 The Webform module allows content creators to assemble a survey for end-users. The module doesn't sufficiently filter user supplied text when displaying radio buttons or checkboxes when used in combination with the Select or Other... module. This vulnerability is mitigated by t...

2.1CVSS6.3AI score0.01277EPSS
Exploits0References13
Drupal
Drupal
•added 2012/03/07 12:0 a.m.•15 views

SA-CONTRIB-2012-034 - Node Recommendation Cross Site Scripting (XSS)

CVE: CVE-2012-1659 This module shows users other nodes that they might be interested in based on a simple logic and using taxonomy. The aim of this module is to provide sensible defaults and an easy configuration for less-technical users and to allow it to be manually overriden. The module doesn'...

2.1CVSS6.3AI score0.01089EPSS
Exploits0References11
Drupal
Drupal
•added 2012/03/07 12:0 a.m.•23 views

SA-CONTRIB-2012-031 - Multiple Modules Unsupported - UC PayDutchGroup - Information leakage and Multisite Search sql injection

CVE: CVE-2012-1655 UC PayDutchGroup / WeDeal payment integrates the PayDutchGroup / WeDeal payment gateway with Ubercart. The module exposes account credentials for the store's PayDutchGroup account under certain circumstances allowing a malicious user to login to the PayDutchGroup site as the...

6.8CVSS7.4AI score0.01271EPSS
Exploits0References10
Drupal
Drupal
•added 2012/03/07 12:0 a.m.•19 views

SA-CONTRIB-2012-030 - Data - Cross Site Scripting (XSS)

CVE: CVE-2012-1654 This module enables you to create arbitrary tables in your Drupal database and manage the data in them, and also manage data in existing tables such as those created by or imported from a third-party application. The module doesn't sufficiently escape the human-readable title...

2.1CVSS6.5AI score0.01853EPSS
Exploits0References11
Drupal
Drupal
•added 2012/02/29 12:0 a.m.•19 views

SA-CONTRIB-2012-028 - Hierarchical Select - Cross Site Scripting (XSS)

CVE: CVE-2012-1652 The Hierarchical Select module provides a "hierarchicalselect" form element, which is a greatly enhanced way for letting the user select items in a taxonomy. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS...

2.1CVSS5.6AI score0.01089EPSS
Exploits0References11
Drupal
Drupal
•added 2012/02/29 12:0 a.m.•28 views

SA-CONTRIB-2012-029 - Taxonomy Views Integrator - Cross Site Scripting (XSS)

CVE: CVE-2012-1653 The Taxonomy Views Integrator allows selective overriding of taxonomy terms and/or vocabulary with the view of your choice. Using TVI you can easily create custom views to output all terms in X vocabulary. The module doesn't sufficiently filter user supplied text on views pages...

3.5CVSS6.3AI score0.0107EPSS
Exploits0References11
Drupal
Drupal
•added 2012/02/29 12:0 a.m.•22 views

SA-CONTRIB-2012-026 - ZipCart - Access bypass

CVE: CVE-2012-1650 ZipCart enables a site to provide users with Zip archives for downloads selected by the user. Versions of ZipCart prior to 6.x-1.4 checks an incorrect permission when building archives. This vulnerability is mitigated by the fact that archive file addition is only permitted if...

6CVSS6.2AI score0.01203EPSS
Exploits0References10
Drupal
Drupal
•added 2012/02/29 12:0 a.m.•27 views

SA-CONTRIB-2012-025 - Cool aid; Editable help messages - Multiple vulnerabilities

Cool aid is a Drupal module that allows users to add custom help messages to Drupal pages. The module did not properly clean user input before displaying it, and did not properly check for access permissions, allowing users with "administer coolaid" to inject scripts anywhere on a site. The XSS...

4.9CVSS5.4AI score0.01207EPSS
Exploits0References10
Drupal
Drupal
•added 2012/02/29 12:0 a.m.•22 views

SA-CONTRIB-2012-024 - MediaFront - Cross Site Scripting

CVE: CVE-2012-1647 Within the MediaFront module, there is a PHP library for handling the stand alone application of the Open Standard Media player. Within this library, both the $SESSION and $SERVER variables are handled without proper checks to make sure that no malicious code is injected within...

4.3CVSS6.7AI score0.01685EPSS
Exploits1References11
Drupal
Drupal
•added 2012/02/29 12:0 a.m.•27 views

SA-CONTRIB-2012-027 - Submenu Tree -Cross Site Scripting

CVE: CVE-2012-1651 The Submenu Tree module allows sufficiently privileged users to show a list of menu entries when displaying a node. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. The vulnerability is...

3.5CVSS5.5AI score0.01046EPSS
Exploits0References11
Drupal
Drupal
•added 2012/02/22 12:0 a.m.•21 views

SA-CONTRIB-2012-023 - FAQ - Cross Site Scripting

CVE: CVE-2012-1646 The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before...

4.3CVSS5.7AI score0.02388EPSS
Exploits0References10
Drupal
Drupal
•added 2012/02/15 12:0 a.m.•20 views

SA-CONTRIB-2012-020 - Faster Permissions - Access bypass

CVE: CVE-2012-1643 This module enables you to configure the permissions of a specific module on a separate page. This is especially handy for sites with a large list of permissions. The module doesn't sufficiently check for the required permissions when the provided permission administration is...

5CVSS6.4AI score0.01473EPSS
Exploits0References10
Drupal
Drupal
•added 2012/02/15 12:0 a.m.•21 views

SA-CONTRIB-2012-019 - Link checker - Access bypass

CVE: CVE-2012-1642 The Link checker module extracts links from your site's content and periodically tries to detect broken links and report them so they can be fixed. The module does not correctly check permission to access the site's content before displaying broken links that were found within...

5CVSS6.2AI score0.02255EPSS
Exploits0References11
Drupal
Drupal
•added 2012/02/15 12:0 a.m.•19 views

SA-CONTRIB-2012-022 - CDN - Information disclosure

CVE: CVE-2012-1645 The CDN module provides easy Content Delivery Network integration for Drupal sites. It alters file URLs, so that files are downloaded from a CDN instead of your web server. When running in Origin Pull mode together with the "Far Future expiration" option, the module contains a...

2.6CVSS6.2AI score0.014EPSS
Exploits0References10
Drupal
Drupal
•added 2012/02/15 12:0 a.m.•20 views

SA-CONTRIB-2012-021 - Organic Groups Vocab Access Bypass

CVE: CVE-2012-1644 This module enables you to have a specific vocabulary per organic group. The module doesn't sufficiently check access to vocabularies while allowing a group admin to edit the vocabularies. This vulnerability is mitigated by the fact that an attacker must have a role with the...

2.1CVSS6.3AI score0.01117EPSS
Exploits1References10
Drupal
Drupal
•added 2012/02/08 12:0 a.m.•17 views

SA-CONTRIB-2012-018 - Revisioning - Cross Site Scripting

CVE: CVE-2012-1060 The Drupal Revisioning module https://drupal.org/project/revisioning "is a module for the configuration of workflows to create, moderate and publish content revisions." The Revisioning module contains a persistent cross site scripting XSS vulnerability due to the fact that it...

2.1CVSS4.8AI score0.01062EPSS
Exploits1References11
Drupal
Drupal
•added 2012/02/08 12:0 a.m.•17 views

SA-CONTRIB-2012-017 - Finder - Multiple vulnerabilities

CVE: CVE-2012-1641 Finder is a Drupal module that allows users to create faceted search forms. The module's autocomplete, checkbox, and radio button functionalities previously did not sanitize the output of fields and raw database values. In addition, users with the "administer finder" permission...

6CVSS7.5AI score0.02292EPSS
Exploits1References12
Drupal
Drupal
•added 2012/02/01 12:0 a.m.•28 views

SA-CONTRIB-2012-016 - Forward module CSRF and Access bypass

The Forward module enables you to add a "forward this page" link to each node. The link takes regular site visitors to a form where they can generate an email to a friend. The module exhibits multiple vulnerabilities as described below. The module includes "Recent forwards" and "Most forwarded"...

6CVSS6.4AI score0.01496EPSS
Exploits0References10
Drupal
Drupal
•added 2012/02/01 12:0 a.m.•648 views

SA-CORE-2012-001 - Drupal core multiple vulnerabilities

Cross Site Request Forgery vulnerability in Aggregator module CVE: CVE-2012-0826 An XSRF vulnerability can force an aggregator feed to update. Since some services are rate-limited e.g. Twitter limits requests to 150 per hour this could lead to a denial of service. This issue affects Drupal 6.x an...

6.8CVSS6.2AI score0.01979EPSS
Exploits0References16
Drupal
Drupal
•added 2012/01/25 12:0 a.m.•17 views

SA-CONTRIB-2012-013 - Search Autocomplete - SQL Injection

CVE: CVE-2012-1638 The Search Autocomplete module allows you to add autocomplete functionality to the search fields of a Drupal site. Search Autocomplete does not properly use Drupal's database API, making it possible for a malicious user to carryout SQL injection on the site. This vulnerability ...

6CVSS7.2AI score0.01081EPSS
Exploits1References10
Drupal
Drupal
•added 2012/01/25 12:0 a.m.•29 views

SA-CONTRIB-2012-014 - Drupal Commerce - Cross Site Scripting (XSS)

CVE: CVE-2012-1639 Drupal Commerce is a flexible eCommerce framework built on Drupal 7 that lets you construct any type of eCommerce website. Part of its flexibility lies in its ability to render product fields into node displays through the product reference field used to build dynamic Add to Ca...

3.5CVSS6.3AI score0.0107EPSS
Exploits0References9
Drupal
Drupal
•added 2012/01/25 12:0 a.m.•21 views

SA-CONTRIB-2012-015 - Managesite - Cross Site Scripting (XSS)

CVE: CVE-2012-1640 This module provides a way to build a control panel similar to the one provided by Drupal 7 on the admin zone /admin. The module doesn't sufficiently filter user supplied text in the administration settings. This vulnerability is mitigated by the fact that an attacker must have...

2.1CVSS6.3AI score0.01041EPSS
Exploits0References10
Drupal
Drupal
•added 2012/01/18 12:0 a.m.•18 views

SA-CONTRIB-2012-011 - Panels - Cross Site Scripting (XSS)

CVE: CVE-2012-0914 The Panels module allows a site administrator to create customized layouts for multiple uses. The module doesn't sufficiently sanitize administrator supplied data. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer pane...

4.3CVSS6.2AI score0.02361EPSS
Exploits0References10
Drupal
Drupal
•added 2012/01/18 12:0 a.m.•24 views

SA-CONTRIB-2012-012 - Quicktabs - Cross Site Scripting (XSS)

CVE: CVE-2012-1637 The Quick Tabs module allows users to create blocks of tabbed content, specifying a title for the block and the individual tabs. Quick Tabs does not do sufficient filtering of user supplied text which presents a cross site scripting vulnerability. This vulnerability is mitigate...

4.8CVSS5AI score0.00528EPSS
Exploits0References13
Drupal
Drupal
•added 2012/01/18 12:0 a.m.•23 views

SA-CONTRIB-2012-009 - Revisioning - Access bypass

CVE: CVE-2012-1635 This module enables you to create moderation publication workflows, allowing authors to create content that isn't visible to the public until it has been approved by a moderator/publisher. The module's implementation of hooknodeaccess assumes that access is to granted/denied...

6.4CVSS6.4AI score0.01358EPSS
Exploits0References10
Drupal
Drupal
•added 2012/01/17 12:0 a.m.•19 views

SA-CONTRIB-2012-010 - stickynote - Multiple vulnerabilities

CVE: CVE-2012-1636 This module enables you to add textual notes in a block to perform quality assurance of your site. Previously it did not sufficiently protect against Cross Site Scripting XSS or Cross Site Request Forgery CSRF. This vulnerability is mitigated by the fact that an attacker must...

4.3CVSS5.8AI score0.00903EPSS
Exploits0References9
Drupal
Drupal
•added 2012/01/16 12:0 a.m.•18 views

SA-CONTRIB-2013-004 - Live CSS - Arbitrary Code Execution

This module enables you to save CSS and LESS files on the server via your browser. The module doesn't check that the file being saved isn't a script or executable. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer CSS". CVE identifiers...

6CVSS6.3AI score0.01857EPSS
Exploits0References11
Drupal
Drupal
•added 2012/01/11 12:0 a.m.•29 views

SA-CONTRIB-2012-006 XSS and CSRF in Multiple Modules - Supercron, Taxotouch, Admin:hover, Taxonomy Navigator no longer supported

CVE: CVE-2012-1628 SuperCron is a complete replacement for Drupal's built-in Cron functionality. The module is vulnerable to Cross Site Scripting. The vulnerability is mitigated by an attacker needing to gain an account with "access administration pages" permission. CVE: CVE-2012-1629 Taxotouch...

6.8CVSS6.4AI score0.00941EPSS
Exploits0References13
Drupal
Drupal
•added 2012/01/11 12:0 a.m.•16 views

SA-CONTRIB-2012-005 - Vote up/down - Cross Site Scripting

CVE: CVE-2012-1627 This module enables you to add voting widgets to nodes, terms and comments. The vudterm sub-module doesn't sufficiently sanitize taxonomy terms before display. In order to execute arbitrary script injection malicious users must have the ability to create or edit taxonomy terms...

3.5CVSS7.4AI score0.01578EPSS
Exploits0References11
Drupal
Drupal
•added 2012/01/11 12:0 a.m.•21 views

SA-CONTRIB-2012-004 - Date - SQL injection

CVE: CVE-2012-1626 This module enables you to add and administer date fields to nodes. It includes Date Tools, that allows users to convert nodes created with the Event module into Date fields. The conversion form for Events is vulnerable to SQL injection. This vulnerability is mitigated by the...

6CVSS6.9AI score0.01105EPSS
Exploits0References10
Drupal
Drupal
•added 2012/01/11 12:0 a.m.•17 views

SA-CONTRIB-2012-008 - Video Filter - Cross Site Scripting

CVE: CVE-2012-1634 The Video Filter module lets you display videos from various third party sources. When videos from Blip.tv are shown, the module fails to sanitize source data before display. This vulnerability is mitigated by the fact that the attacker has to be able to either control the sour...

4.3CVSS6.4AI score0.01393EPSS
Exploits1References11
Drupal
Drupal
•added 2012/01/11 12:0 a.m.•16 views

SA-CONTRIB-2012-007 - Password Policy - Multiple vulnerabilities

This module enables you to specify a certain level of password complexity aka. "password hardening" for user passwords on a system by defining a policy. Cross Site Request Forgery CSRF CVE: CVE-2012-1633 Unblocking a user does not require sufficient confirmation by administrative users and can be...

6.8CVSS6.1AI score0.00941EPSS
Exploits2References10
Drupal
Drupal
•added 2012/01/04 12:0 a.m.•23 views

SA-CONTRIB-2012-003 - Fill PDF - Multiple vulnerabilities

CVE: CVE-2012-1625 This module enables you to populate fillable PDF templates with data from nodes and webforms. Access bypass 7.x only Incorrectly-ordered arguments in a call to the function that handles the main functionality of the module makes it possible for an attacker to trigger any PDF to...

6CVSS6.5AI score0.01067EPSS
Exploits0References12
Drupal
Drupal
•added 2012/01/04 12:0 a.m.•20 views

SA-CONTRIB-2012-001 - Registration Codes - Access bypass

CVE: CVE-2012-1623 The Registration Codes module enables site administrators to restrict registration for new accounts to only users who provide a valid registration code. The default module installation provides no access check for the registration code list, leading to a vulnerability that allo...

5CVSS6.6AI score0.01396EPSS
Exploits0References8
Drupal
Drupal
•added 2012/01/04 12:0 a.m.•17 views

SA-CONTRIB-2012-002 - Lingotek - Cross Site Scripting

CVE: CVE-2012-1624 This module enables you to translate a website's content using tools provided by the Lingotek Collaborative Translation Network. The module doesn't sufficiently sanitize user input when creating or editing page content. This allows a malicious content editor to potentially inpu...

3.5CVSS5.8AI score0.0107EPSS
Exploits0References10
Drupal
Drupal
•added 2011/12/14 12:0 a.m.•13 views

SA-CONTRIB-2011-059 - Meta tags quick - Cross Site Scripting (XSS)

The Meta tags quick module provides a simple tool to add meta tags to a site. The module doesn't consistently filter user input which could lead to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer...

6.5AI score
Exploits0References10
Drupal
Drupal
•added 2011/11/30 12:0 a.m.•12 views

SA-CONTRIB-2011-057 - Support Ticketing System - Cross Site Scripting (XSS)

The Support Ticketing System module provides a basic ticketing system and helpdesk that is native to Drupal, offering complete email integration. The module does not properly sanitize user-supplied content, resulting in multiple Cross-Site Scripting XSS vulnerabilities. This vulnerability is...

6.2AI score
Exploits0References10
Drupal
Drupal
•added 2011/11/30 12:0 a.m.•12 views

SA-CONTRIB-2011-058 - Support Timer - Cross Site Scripting (XSS)

The Support Timer module adds a javascript-based timer to the Support Ticketing System for tracking how long users are working on support tickets, as well as administrative reports. The module does not properly sanitize user-supplied content, resulting in multiple Cross-Site Scripting XSS...

2.1CVSS5.6AI score0.00941EPSS
Exploits0References10
Drupal
Drupal
•added 2011/11/30 12:0 a.m.•14 views

SA-CONTRIB-2011-056 - Webform Validation Cross Site Scripting

The Webform Validation module enables you to add form validation rules to Webform components through a UI. The module contains multiple cross site scripting XSS vulnerabilities due to the fact that it fails to sanitize certain user entered text prior to displaying in the browser. This vulnerabili...

6.1AI score
Exploits0References11
Total number of security vulnerabilities1940