1940 matches found
SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting
The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn't sanitised, i...
SA-CONTRIB-2010-022 - Internationalization - Arbitrary code execution
The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them. As translators can translate texts before they go through the Input filters, using some filters like the PHP...
SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities
Multiple vulnerabilities and weaknesses were discovered in Drupal. Installation cross site scripting A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet...
SA-CONTRIB-2010-019 - Weekly Archive by Node Type - Access Bypass
The Weekly Archive by Node Type module generates weekly archive pages and a block with links to the pages. You can specify the node types that will be included in the archive pages. In weekly summaries listings, the Weekly Archive by Node Type module does not construct its SQL query to respect no...
SA-CONTRIB-2010-020 - Facebook-style Statuses (Microblog) - Access bypass
The Facebook-style Statuses Microblog module enables each user to have a stream of messages "statuses" like on Facebook. Users can update their own status as well as write messages to other users by visiting the other user's profile. When a user updates his own status and then updates it again...
SA-CONTRIB-2010-017 - iTweak Upload - Cross Site Scripting
iTweak Upload does not escape file names when displaying uploaded files. This allows a malicious user with the permission to create content and upload files to perform a Cross Site Scripting XSS attack. Versions affected iTweak Upload 6.x-2.x prior to 6.x-2.3 iTweak Upload 6.x-1.x prior to 6.x-1....
SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities
Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily...
SA-CONTRIB-2010-016 - Graphviz Filter - arbitrary code execution
Graphviz Filter does not properly filter user input via @command option in node body, leading to a possible Arbitrary Shell Code Execution vulnerability. This vulnerability allows a remote attacker with the ability to create content using a Graphviz input filter to execute an arbitrary shell code...
SA-CONTRIB-2010-013 - Menu Breadcrumb - Cross site scripting
The Menu Breadcrumb module allows to use the menu the current page belongs to as breadcrumb. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access...
SA-CONTRIB-2010-015 - Signwriter - Arbitrary code execution
The Signwriter module allows the use of TrueType fonts to replace text in headings, blocks, menus and filtered text. This vulnerability allows a remote attacker with the ability to create content using an input filter created with a Signwriter profile to execute arbitrary PHP code on an affected...
SA-CONTRIB-2010-014 - Node Export - Arbitrary code execution
The Node export module allows users to export and import nodes. Node export does not warn administrators that users with the "access administration pages" permission together with the "import nodes" permission can execute arbitrary PHP statements during the import operation. Versions affected Nod...
SA-CONTRIB-2010-012 - ODF Import - Access Bypass (possible Cross Site Scripting)
ODF Import module enables users of a Drupal site to import content created in the ODF format e.g. using OpenOffice.org. When importing content it always used an input format which might not be available to the user importing the content leading to a cross-site scripting XSS vulnerability. Such an...
SA-CONTRIB-2010-010 - Author Contact - Cross site scripting
The Author Contact module provides a form to contact the author of the current post. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access. A user must...
SA-CONTRIB-2010-011 - Feedback - Cross Site Scripting
Feedback module enables users and visitors of a Drupal site to quickly send feedback messages about the currently displayed page. When displaying reports about submitted feedback, the module does not properly sanitize the user agent strings from the Browscap module before display, leading to a...
SA-CONTRIB-2010-008 - Recent Comments - Cross Site Scripting
Recent Comments module provides a high-performance, fully themable block of recent comments. This release includes a fix for a cross-site scripting XSS vulnerability in which JavaScript could be inserted in the title of the Recent Comments block via a custom block title interface. This custom tit...
SA-CONTRIB-2010-007 - Control Panel - Cross Site Scripting
The Control Panel module enables users to add a new graphical control panel page. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer blocks' permission are able to exploit this...
SA-CONTRIB-2010-009 - Block Class - Cross Site Scripting
Block Class module allows users to add classes to any block through the block's configuration interface. This release includes a fix for a cross-site scripting XSS vulnerability through which JavaScript could be inserted in the class field of a block's configuration interface. Versions affected...
SA-CONTRIB-2010-006 - Bibliography Module - Cross Site Scripting
The Bibliography module enables users to manage and display lists of scholarly publications. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer biblio' permission are able to exploi...
SA-CONTRIB-2010-004 - Node block - Cross site scripting
This module allows you to specify content types as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. Users only need edit access to that node in order to edit it. Users with administer block access...
SA-CONTRIB-2010-005 - Own Term - Cross site scripting
The Own Term module allows users to create taxonomy terms in a designated vocabulary and when creating content this term is automatically added to the node. The module does not sanitize the term description on a term listing page which opens a cross-site scripting XSS attack. Users with a role...
SA-CONTRIB-2010-002 - Currency Exchange - Cross site scripting
This module provides a site with the ability to display currency exchange rates. The module does not sanitize some of the user-supplied data before logging it to the watchdog, leading to a cross-site scripting XSS vulnerability. Versions affected Currency Exchange version prior to 6.x-1.2 Drupal...
SA-CONTRIB-2010-001 - Wunderbar - Cross Site Scripting
The Wunderbar! module provides a floating bar with configurable buttons and the ability to link off to social networking sites. The module does not properly escape user names, potentially allowing a cross site scripting XSS attack which may lead to the user gaining full administrative access. The...
SA-CONTRIB-2010-003 - Forward - Cross site scripting
This module allows users to forward a link to a specific node on your site to a friend. The Forward module does not properly sanitize user supplied data, allowing users with the "access administration pages" and "administer forward" permissions, or users with "access administration pages" and...
SA-CONTRIB-2009-115 - Autocomplete Widgets for CCK Text and Number - Information Disclosure
Autocomplete Widgets module adds 2 autocomplete widgets for CCK fields of type Text and Number. The autocomplete callback implemented by this module does not honor permissions to access CCK fields, allowing users to see field values even though they are not authorized to access that information...
SA-CONTRIB-2009-113 - FAQ - Cross Site Scripting
The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before displaying it, leading t...
SA-CONTRIB-2009-114 - Automated Logout - Cross Site Scripting
This module provides a site administrator the ability to log users out after a specified time of inactivity. The module does not sanitize some of the user-supplied data before displaying it, leading to a cross-site scripting XSS vulnerability. Users who can take advantage of this vulnerability...
SA-CONTRIB-2009-112 - Sections - Cross Site Scripting
The Sections module allows the creation of sections within a site. Each section has an installed template, theme or style attached to it. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Users who can take...
SA-CORE-2009-009 - Drupal Core - Cross site scripting
Multiple vulnerabilities were discovered in Drupal. Contact category name cross-site scripting The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the...
SA-CONTRIB-2009-111 - Randomizer - Cross Site Scripting
The Randomizer module assists researchers and students who want an easy way to perform random sampling or assign participants to experimental conditions. It accepts form input as parameters for generating a pseudo-random list of numbers. The module does not sanitize some of the user-supplied data...
SA-CONTRIB-2009-110 - Taxonomy Timer - SQL Injection
The Taxonomy Timer module enables users to set expiration dates for Taxonomy Terms. At the time of expiration other terms can be assigned, or nodes can be unpublished. In some cases the module does not properly sanitize user input, leading to a SQL Injection vulnerability. Such an attack may lead...
SA-CONTRIB-2009-108 - Gallery Assist - Cross Site Scripting
The Gallery Assist module provides a simple way to create image galleries on a site. The module does not sanitize node titles, leading to a Cross Site Scripting XSS vulnerability. Versions affected Gallery Assist module for Drupal 6.x prior to Gallery Assist 6.x-1.7 Drupal core is not affected. I...
SA-CONTRIB-2009-107 - Ubercart - Access bypass, Cross site request forgery
Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently...
SA-CONTRIB-2009-102 - PHPList Integration Module - Cross Site Request Forgery
The PHPList module provides a basic level of integration between Drupal and the PHPList mailing list application. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicious site can cause a user to unintentionally submit a form to a site where they are authenticate...
SA-CONTRIB-2009-104 - Feed Element Mapper - Cross Site Scripting
Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags, or the author name, to taxonomy or CCK fields. These mappings are configurable by a point and click interface. When configuring the mapping, some values coming from external feeds are not sanitized...
SA-CONTRIB-2009-106 - Agreement - Cross Site Scripting
The Agreement module enables the display of a text-based agreement think "Terms of Service" that users of a particular role must accept before they are given access to the site. The module does not sanitize some of the user-supplied fields, leading to a Cross Site Scripting XSS vulnerability...
SA-CONTRIB-2009-105 - Subgroups for Organic Groups - Cross Site Scripting
The Subgroups For Organic Groups module enables users to set group hierarchy. The module does not filter the titles of some nodes before output, leading to a cross-site scripting XSS vulnerability. Versions affected Subgroups For Organic Groups versions for Drupal 5.x prior to 5.x-4.0 Drupal core...
SA-CONTRIB-2009-103 - Strongarm - Cross Site Scripting
The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values. When using the settings page to see overridden...
SA-CONTRIB-2009-109 - Printfriendly - Cross Site Scripting
The Printfriendly module integrates with printfriendly.com's print service. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Versions affected Printfriendly module for Drupal 6.x prior to Printfriendly 6.x-1.6...
SA-CONTRIB-2009-101 - Web Services - Access Bypass
The Web Services module provides an API for other sites to communicate with a Drupal site, enabling the publishing of content, change of user information, or simply integration of a Flash application. The module fails to implement proper access checks, leading to an Access Bypass vulnerability...
SA-CONTRIB-2009-100 - AddToAny - Cross Site Scripting
AddToAny module provides a share button for AddToAny service for social networks. The module fails to sanitize a value in node title, leading to a Cross Site Scripting XSS vulnerability. Versions affected AddToAny module for Drupal 6.x prior to AddToAny 6.x-2.4 AddToAny module for Drupal 5.x prio...
SA-CONTRIB-2009-099 - RootCandy Theme - Cross Site Scripting
RootCandy is a theme specifically designed for use in the administration section. The theme fails to sanitize a URL value, leading to a Cross Site Scripting XSS vulnerability. Versions affected RootCandy theme for Drupal 6.x prior to RootCandy 6.x-1.5 Drupal core is not affected. If you do not us...
SA-CONTRIB-2009-097 - Organic Groups Vocabulary - Cross Site Scripting
The Organic Groups Vocabulary module enables a vocabulary to be restricted for use to a specific Organic Group. The module does not sanitize before outputting the group title in some cases, resulting in a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining...
SA-CONTRIB-2009-090 - User Protect - Cross Site Request Forgery
User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections. The Drupal Forms API protects against cross site request forgeries...
SA-CONTRIB-2009-095 - Smartqueue OG - Access Bypass
The Smartqueueog module uses Nodequeue's Smartqueue API to provide a Nodequeue for organic groups which is editable by members of that group or the group's administrators. Users with the "administer nodequeue" permission have the option to batch create subqueues individual instances of a queue fo...
SA-CONTRIB-2009-098 - Zoomify - Cross Site Scripting
The Zoomify module integrates the Zoomify Flash applet into Drupal which can be used to pan and zoom on large images. Images are first preprocessed in order for Zoomify to work. The module fails to sanitize a value in the node title, leading to a Cross Site Scripting XSS vulnerability. Versions...
SA-CONTRIB-2009-091 - Node Hierarchy - Cross Site Scripting
The Node Hierarchy module enables a site administrator to arrange their site into a tree-like structure. When displaying the list of children for a node the module does not properly sanitize the titles of the child nodes before outputting them, leading to a cross-site scripting XSS vulnerability...
SA-CONTRIB-2009-096 - Link - Cross Site Scripting
The Link module provides a CCK field which enables links to be added to content types, that can include a URL, title, and target attribute. When using the "Separate title and URL" formatter supplied by the module, the link title field is not sanitized before being displayed, leading to a Cross Si...
SA-CONTRIB-2009-094 - NGP COO/CWP Integration (crmngp) - Multiple Vulnerabilities
The NGP COO/CWP Integration module provides Drupal integration with the NGP Software API for efficient campaign management. An administration page did not properly implement access control thereby allowing untrusted users to view module log information. User-supplied information was not filtered ...
SA-CONTRIB-2009-093 - Temporary Invitation - Cross Site Scripting
The Temporary Invitation module enables site users to invite guests for a limited timespan. For each invitation, a new user is created, together with a login code e.g. "EbN2F3" that the user can use to log in. The module fails to sanitize a value in Name field which is included in the invitation,...
SA-CONTRIB-2009-092 - S5 Presentation Player Cross Site Scripting
The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site. The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user...