Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2011/02/02 12:0 a.m.14 views

SA-CONTRIB-2011-005 - AES encryption - Information disclosure

Due to a piece of code used for debugging mistakenly left in the release, the plain text password of the user who last logged in is written to a text file in the Drupal root directory. This file is remotely accessible, thus an attacker with the knowledge of which user last logged in may access th...

7.4AI score
Exploits0References8
Drupal
Drupal
added 2011/02/02 12:0 a.m.8 views

SA-CONTRIB-2011-007 - Userpoints Cross Site Scripting

The Userpoints module allows users to gain points through specific actions like contributing content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative...

6.3AI score
Exploits0References9
Drupal
Drupal
added 2011/02/02 12:0 a.m.15 views

SA-CONTRIB-2011-008 - Chatroom - Cross Site Scripting (XSS) and Cross Site Request Forgery

The Chatroom module provides real-time chat capabilities to Drupal. Vulnerability: Cross Site Scripting The module does not properly escape the contents of chat messages in pages listing the chats contained in a chatroom, leading to a Cross Site Scripting XSS vulnerability. Any user with permissi...

5.5AI score
Exploits0References10
Drupal
Drupal
added 2011/02/02 12:0 a.m.13 views

SA-CONTRIB-2011-009 - Droptor - SQL Injection

The Droptor module connects a Drupal site to Droptor.com, a Drupal monitoring and management solution. When capturing memory logging information the module does not filter the value input from the current page request variable. This vulnerability can be exploited to perform an SQL Injection attac...

7.9AI score
Exploits0References9
Drupal
Drupal
added 2011/02/02 12:0 a.m.11 views

SA-CONTRIB-2011-006 - Flag Page - Cross Site Scripting (XSS)

The contributed flag page module provides an additional flag type to allow you to flag pages so you can bookmark any URL on your site including views, panels, administration pages or site contact page. The module does not sanitize the flag titles when displayed in blocks, leading to a Cross-Site...

5.9AI score
Exploits0References10
Drupal
Drupal
added 2011/01/19 12:0 a.m.15 views

SA-CONTRIB-2011-003 - Janrain Engage (RPX) - Multiple Vulnerabilities

RPX recently renamed Janrain Engage is a service that acts as a middleman between a site and external login providers like Facebook, Yahoo, WindowsLive, etc. As part of this functionality it offers the ability to take a user's avatar on these services and download it for use as the user's profile...

6.9AI score
Exploits0References9
Drupal
Drupal
added 2011/01/12 12:0 a.m.14 views

SA-CONTRIB-2011-002 - Panels - Cross Site Scripting (XSS)

The Panels module allows a site administrator to create customized layouts for multiple uses. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full administrative access...

5.9AI score
Exploits0References9
Drupal
Drupal
added 2011/01/10 12:0 a.m.9 views

SA-CONTRIB-2011-001 - Webform - SQL Injection

The contributed webform module provides a webform nodetype. Typical uses for webform are to create questionnaires, contact or request/register forms, surveys, polls or a front end to issues tracking systems. The module does not properly use the database API, leading to an SQL Injection...

8.3AI score
Exploits0References8
Drupal
Drupal
added 2010/12/22 12:0 a.m.15 views

SA-CONTRIB-2010-112 - oEmbed - Access Bypass

The oEmbed module allows a Drupal site to embed content from oEmbed-providers as well as for a site to become an oEmbed-provider itself so that other oEmbed-enabled websites can embed its content. If an external site requested to embed a node, the oEmbed provider did not check node access,...

6.9AI score
Exploits0References8
Drupal
Drupal
added 2010/12/22 12:0 a.m.16 views

SA-CONTRIB-2010-113 - Image - Cross Site Scripting

The Image module project contains supplemental modules, one of which, Image gallery, allows users to create and maintain galleries of image nodes using taxonomy terms. The Image gallery module does not sanitize some user-supplied data before displaying it, leading to a Cross Site Scripting XSS...

6.3AI score
Exploits0References12
Drupal
Drupal
added 2010/12/15 12:0 a.m.11 views

SA-CONTRIB-2010-111 - Views - Cross Site Scripting

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Under certain circumstances, Views could display parts of the page path without escaping, resulting in a relected Cross Site Scripting XSS vulnerability. An attacker cou...

6.2AI score
Exploits0References7
Drupal
Drupal
added 2010/12/15 12:0 a.m.16 views

SA-CONTRIB-2010-110 - Drupal For Firebug - Cross-site Request Forgery

The Drupal For Firebug module allows developers to use Firebug to get debugging information about their Drupal installation. The module does not properly protect the form used to submit PHP code against Cross-site Request Forgeries CSRF, allowing a malicious user to trick an authorized user into...

7.2AI score
Exploits0References7
Drupal
Drupal
added 2010/12/08 12:0 a.m.4 views

SA-CONTRIB-2010-108 - Who Bought What|Ubercart - Multiple Vulnerabilities

The Who Bought What-module collects and displays relevant information about purchases, including purchaser name, quantity, payment status, and all attributes. The module does not properly sanitize arguments passed via the URL when used in SQL queries, leading to a SQL Injection vulnerability...

5.9AI score
Exploits0References8
Drupal
Drupal
added 2010/12/08 12:0 a.m.16 views

SA-CONTRIB-2010-109 - Embedded Media Field, Media: Video Flotsam, Media: Audio Flotsam - Multiple Vulnerabilities

1 - Arbitrary File Upload/Code Execution Vulnerability The Embedded Thumbnail module packaged with the project allows users who upload videos to upload their own thumbnails to replace The Drupal Embedded Media Field module. Unfortunately, the Embedded Thumbnail Module contains a vulnerability tha...

7.3AI score
Exploits0References12
Drupal
Drupal
added 2010/12/01 12:0 a.m.9 views

SA-CONTRIB-2010-105 - Outline Designer - Cross Site Request Forgery

Outline Designer allows for easier creation and management of items in a Book. The Outline Designer modules does not properly protect some of its paths against Cross Site Request Forgeries CSRF, allowing an attacker to get a user with the permission to administer site configuration to change any...

6.9AI score
Exploits0References7
Drupal
Drupal
added 2010/12/01 12:0 a.m.15 views

SA-CONTRIB-2010-106 - Comment Edited - Cross Site Scripting

The Comment Edited module displays a customizable message at the bottom of a comment when it has been edited. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full...

6.1AI score
Exploits0References8
Drupal
Drupal
added 2010/12/01 12:0 a.m.5 views

SA-CONTRIB-2010-107 - Services - Access bypass

The Services module allows users to expose Drupal functionality to remote users. Services provides the ability for users to update nodes contained in a drupal install via the services api. When using using the node.save service it is possible for a user to supply a specifically crafted node or...

5.5AI score
Exploits0References5
Drupal
Drupal
added 2010/11/17 12:0 a.m.13 views

SA-CONTRIB-2010-104 - Relevant Content - Information Disclosure

The Relevant Content module provides a block and CCK field which contain links to other nodes on the site which are considered "relevant" to the current nodes based on number of shared taxonomy terms. The Relevant Content module does not implement node access logic properly, resulting in the...

6.8AI score
Exploits0References9
Drupal
Drupal
added 2010/11/10 12:0 a.m.15 views

SA-CONTRIB-2010-102 - Category tokens - Cross Site Scripting

The Category tokens module exposes additional tokens for the first and last terms related to a node for each vocabulary. The module does not sanitize the vocabulary names when displayed in token help, leading to a Cross-Site Scripting XSS vulnerability that may lead to a malicious user gaining fu...

5.9AI score
Exploits0References7
Drupal
Drupal
added 2010/11/10 12:0 a.m.12 views

SA-CONTRIB-2010-103 - Node Relativity - Multiple vulnerabilities

The Node Relativity module allows parent-child relationships between nodes to be established, managed and searched. The Node Relativity module does not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability which can be used by a maliciou...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2010/10/27 12:0 a.m.17 views

SA-CONTRIB-2010-101 - Watcher - Multiple Vulnerabilities

The Watcher module lets users subscribe to nodes so they receive email notifications when comments are posted or nodes are changed. The Watcher module did not sanitize some of the user supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability which can be used by a...

6.5AI score
Exploits0References10
Drupal
Drupal
added 2010/10/20 12:0 a.m.14 views

SA-CONTRIB-2010-100 - Ubuntu Drupal Theme - Directory traversal and information disclosure

This Ubuntu Drupal Theme - Brown is designed to mimic the old ubuntu.com. The theme used a PHP file to generate a gradient image on the fly. User input from the URL is not properly validated in this PHP code, leading to a directory traversal vulnerability where the contents of any file readable b...

7.1AI score
Exploits0References6
Drupal
Drupal
added 2010/10/06 12:0 a.m.20 views

SA-CONTRIB-2010-099 - Views Bulk Operations - Access Bypass

Views Bulk Operations augments Views by allowing bulk operations to be executed on the nodes and users displayed by a view. It does so by showing a checkbox in front of each item, and adding a select box containing operations that can be applied on the selected items. In some circumstances, a...

4.9CVSS6.3AI score0.01064EPSS
Exploits0References6
Drupal
Drupal
added 2010/09/29 12:0 a.m.14 views

SA-CONTRIB-2010-097 - Imagemenu - Multiple vulnerabilities

The Imagemenu module allows users to create and maintain image based menus. The Drupal 5 branch of this module contains a Cross Site Request Forgery CSRF vulnerability which could allow a malicious user to trick an administrator into unintentionally enabling or disabling menu items provided by th...

6.1AI score
Exploits0References10
Drupal
Drupal
added 2010/09/29 12:0 a.m.29 views

SA-CONTRIB-2010-098 - Memcache - Multiple vulnerabilities

The Memcache project provides an alternative cache backend which works with memcached program to speed up high traffic sites. The memcache backend caches the current $user object a little too aggressively, which can lead to a role change not being recognized until the user logs in again. The...

4.3CVSS5.1AI score0.01161EPSS
Exploits0References10
Drupal
Drupal
added 2010/09/22 12:0 a.m.13 views

SA-CONTRIB-2010-094 - Embedded Media Field - Access bypass

The Embedded Media Field project is a set of modules that enable editors to post URL's and embed codes for third party media providers such as YouTube, Vimeo, or Flickr, which will be automatically parsed and displayed using preset formatters. The Embedded Video Field module packaged with the...

6.9AI score
Exploits0References15
Drupal
Drupal
added 2010/09/22 12:0 a.m.21 views

SA-CONTRIB-2010-095 - Lightbox2 - Multiple Vulnerabilities

The Lightbox2 module enables images to be overlaid on the current page using JavaScript. The module displays images above the page instead of within it, freeing the page design from layout constraints and keeping users on the same page. The module does not sanitize some of the user supplied data...

6.4AI score
Exploits0References12
Drupal
Drupal
added 2010/09/22 12:0 a.m.13 views

SA-CONTRIB-2010-096 - Domain access - Multiple Vulnerabilities

The Domain Access module suite allows users to maintain content shared across multiple domains running from a single Drupal installation. In several instances, the module does not sanitize the user-supplied domain name before displaying it, leading to a Cross-Site Scripting XSS vulnerability that...

5.7AI score
Exploits0References11
Drupal
Drupal
added 2010/09/15 12:0 a.m.9 views

SA-CONTRIB-2010-091 - Mollom - Information Disclosure

The Mollom module provides a combination of CAPTCHA challenges with text analysis to intelligently block spam. In some configurations, sensitive user data e.g., a user's plain-text password might be logged through calls to Drupal's watchdog API. This vulnerability is mitigated by the fact that th...

6.5AI score
Exploits0References7
Drupal
Drupal
added 2010/09/15 12:0 a.m.18 views

SA-CONTRIB-2010-092 - Advanced Book Blocks - Multiple Vulnerabilities

The Advanced Book Blocks module enables you to integrate with the API provided by the JQuery Menu module version 1.8 and higher to provide click and expand book menus with the ability to customize each block individually. The module contained Cross Site Scripting vulnerabilities which could allow...

7AI score
Exploits0References6
Drupal
Drupal
added 2010/09/15 12:0 a.m.11 views

SA-CONTRIB-2010-093 - Advanced Taxonomy Blocks - Multiple Vulnerabilities

Advanced Taxonomy Blocks makes use of the JQuery menu module to create extremely customizable blocks for browsing through single hierarchy taxonomies. The module contained Cross Site Scripting vulnerabilities which could allow a malicious user with one of several non-default permissions to inject...

7AI score
Exploits0References6
Drupal
Drupal
added 2010/09/08 12:0 a.m.16 views

SA-CONTRIB-2010-090 - Yr Weatherdata - SQL Injection

The Yr Weatherdata module displays weather forecasts, and enables users with the proper permission to set the sort method. When setting the sorting method the module does not filter the value input by the user correctly. This vulnerability can be exploited to perform an SQL Injection attack...

8.3AI score
Exploits0References7
Drupal
Drupal
added 2010/08/18 12:0 a.m.18 views

SA-CONTRIB-2010-089 - Simplenews Content Selection - Cross Site Scripting

This module allows you to select content from your website and send a newsletter with the selected content. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability that may lead to a malicious user gaining full...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2010/08/11 12:0 a.m.7 views

SA-CONTRIB-2010-086 - Prepopulate - Access Bypass

The Prepopulate module provides the ability for form fields to be pre-populated via the request sent for the form. The module is vulnerable to access bypass which would allow a malicious user to change the value of fields they would not otherwise have access to alter. Versions affected Prepopulat...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2010/08/11 12:0 a.m.12 views

SA-CONTRIB-2010-087 - GovDelivery - Cross site scripting

The GovDelivery module provides integration with the GovDelivery On-Demand Mailer service, a web service for GovDelivery customers that sends messages directly based on configured account information. The module replaces the backend of SMTP library in your Drupal site with calls to the GovDeliver...

6AI score
Exploits0References5
Drupal
Drupal
added 2010/08/11 12:0 a.m.15 views

SA-CONTRIB-2010-082 - Print - Local file read access

The Printer, e-mail and PDF versions "print" module provides printer-friendly versions of content, including a PDF version that is generated by one of three supported generation tools dompdf, TCPDF and wkhtmltopdf. When using the wkhtmltopdf PDF generation tool, that tool is able to access local...

6.8AI score
Exploits0References9
Drupal
Drupal
added 2010/08/11 12:0 a.m.15 views

SA-CONTRIB-2010-084 - OpenID - Authentication bypass

The OpenID module provides users the ability to login to sites using an OpenID account. The OpenID module doesn't implement the all required verifications from the OpenID 2.0 protocol and is vulnerable to a number of attacks. Specifically: - OpenID should verify that a "openid.responsenonce" has...

7.1AI score
Exploits0References9
Drupal
Drupal
added 2010/08/11 12:0 a.m.501 views

SA-CORE-2010-002 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal. OpenID authentication bypass The OpenID module provides users the ability to login to sites using an OpenID account. The OpenID module doesn't implement all the required verifications from the OpenID 2.0 protocol and is vulnerable...

6.7AI score
Exploits0References17
Drupal
Drupal
added 2010/08/11 12:0 a.m.12 views

SA-CONTRIB-2010-083 - Ubercart sub-modules - Multiple Vulnerabilities

The Ubercart module for Drupal provides e-commerce features. Several modules within Ubercart were vulnerable to various security issues. 1. The 2Checkout gateway module did not properly verify the payment notification information. A malicious user could use a specially crafted HTTP request to...

7AI score
Exploits0References9
Drupal
Drupal
added 2010/08/11 12:0 a.m.17 views

SA-CONTRIB-2010-085 - Pathauto - Cross Site Scripting

The Pathauto module automatically generates path aliases for various kinds of content nodes, categories, users without requiring the user to manually specify the path alias. It also provides additional tokens that can be used in URL alias patterns and anywhere else that the Token API is used. The...

6.2AI score
Exploits0References8
Drupal
Drupal
added 2010/08/11 12:0 a.m.14 views

SA-CONTRIB-2010-081 - FileField Sources - Arbitrary Code Execution

The FileField Sources module expands on the abilities of FileField, allowing users to select new or existing files through additional means, including: Reuse of existing files through an autocomplete textfield or IMCE, or transfering files directly from remote servers. The module does not sanitiz...

7.9AI score
Exploits0References6
Drupal
Drupal
added 2010/08/11 12:0 a.m.15 views

SA-CONTRIB-2010-088 - Content Construction Kit (CCK) - Access Bypass

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module provides a backend URL that is used for asynchronous requests by the "autocomplete" widget to locate nodes the user can reference. In som...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2010/08/11 12:0 a.m.15 views

SA-CONTRIB-2010-080 - Privatemsg - Cross Site Scripting

The Privatemsg module allows to send private messages between users. The module does not properly escape user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Any user with permission to write private messages is vulnerable to attack. Versions affected...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2010/08/04 12:0 a.m.6 views

SA-CONTRIB-2010-079 - Devel (Performance logging) - Cross Site Scripting

The devel project is a suite of modules for developers and themers. Within the devel project, there is the performance logging module. The module does not escape URLs comprised of node paths, leading to a Cross Site Scripting XSS vulnerability. Users with the permission to access the reports that...

5.3AI score
Exploits0References3
Drupal
Drupal
added 2010/07/28 12:0 a.m.5 views

SA-CONTRIB-2010-076 - Dashboard - Cross Site Scripting (CSS)

The dashboard module allows users to create a personalized set of pages of widgets created from existing blocks and nodes like iGoogle. The module does not escape user generated names for tags & titles associated with default widgets that are added to a user dashboard page, leading to a Cross Sit...

5.3AI score
Exploits0References8
Drupal
Drupal
added 2010/07/28 12:0 a.m.16 views

SA-CONTRIB-2010-077 - Sage Pay (former Protx) Direct Payment Gateway for Ubercart - Information Disclosure

The Sage Pay Direct Payment Gateway for Ubercart ucprotxvspdirect processes credit card transactions in Ubercart stores using the Sage Pay Direct service. The module may show remote 3-D Secure pages to the user in an iframe when their bank supports the Verified by Visa or MasterCard SecureCode...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2010/07/28 12:0 a.m.12 views

SA-CONTRIB-2010-078 - Kaltura - Information disclosure

The Kaltura module integrates the Kaltura open source video platform with Drupal. When installing, uninstalling, or configuring the module, it would surreptitiously inject a hidden iframe into the messages displayed to the administrator with the source pointing to corp.kaltura.com/stats/drupal...

6.9AI score
Exploits0References9
Drupal
Drupal
added 2010/07/21 12:0 a.m.18 views

SA-CONTRIB 2010-075 - Tagging - Cross Site Scripting

The Tagging module provides an alternative input widget and other features for taxonomy terms. The module does not properly escape user-provided content submitted to free-tagging vocabularies displayed on node previews, leading to a Cross Site Scripting XSS vulnerability. Any user with permission...

6.3AI score
Exploits0References8
Drupal
Drupal
added 2010/07/14 12:0 a.m.3 views

SA-CONTRIB-2010-073 - Multiple Vulnerabilities In Multiple Contributed Modules

Versions affected and proposed solutions Simple Gallery for Drupal 6.x This module creates a simple gallery using taxonomy and CCK imagefields. The module is vulnerable to a Cross Site Scripting XSS attack. This can be exploited by users with the ability to add taxonomy terms or tag content...

5.5AI score
Exploits0References14
Drupal
Drupal
added 2010/07/14 12:0 a.m.12 views

SA-CONTRIB-2010-074 - Drupad - Cross-site request forgery

The Drupad module is the companion module of the iPhone / iPodTouch application also called Drupad. The module doesn't check if the incoming request is made from the application, leading to a CSRF vulneraby. This vulnerability can be used to delete users and content, or set the site in offline mo...

7AI score
Exploits0References5
Total number of security vulnerabilities1940