Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2010/03/03 12:0 a.m.17 views

SA-CONTRIB-2010-024 - eTracker - Cross Site Scripting

The eTracker module provides integration of a Drupal site with the eTracker web traffic analysis service and takes the current URL as a parameter to track what pages have been visited. The URL from the browser is forwarded to JavaScript in the current page, and because the URL wasn't sanitised, i...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2010/03/03 12:0 a.m.15 views

SA-CONTRIB-2010-022 - Internationalization - Arbitrary code execution

The Internationalization module enables translation of user defined strings using Drupal's locale interface. Some of these user defined strings have Input formats associated with them. As translators can translate texts before they go through the Input filters, using some filters like the PHP...

7.4AI score
Exploits0References7
Drupal
Drupal
added 2010/03/03 12:0 a.m.493 views

SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal. Installation cross site scripting A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet...

6.4AI score
Exploits0References16
Drupal
Drupal
added 2010/02/24 12:0 a.m.12 views

SA-CONTRIB-2010-019 - Weekly Archive by Node Type - Access Bypass

The Weekly Archive by Node Type module generates weekly archive pages and a block with links to the pages. You can specify the node types that will be included in the archive pages. In weekly summaries listings, the Weekly Archive by Node Type module does not construct its SQL query to respect no...

7.7AI score
Exploits0References4
Drupal
Drupal
added 2010/02/24 12:0 a.m.17 views

SA-CONTRIB-2010-020 - Facebook-style Statuses (Microblog) - Access bypass

The Facebook-style Statuses Microblog module enables each user to have a stream of messages "statuses" like on Facebook. Users can update their own status as well as write messages to other users by visiting the other user's profile. When a user updates his own status and then updates it again...

7.1AI score
Exploits0References5
Drupal
Drupal
added 2010/02/17 12:0 a.m.14 views

SA-CONTRIB-2010-017 - iTweak Upload - Cross Site Scripting

iTweak Upload does not escape file names when displaying uploaded files. This allows a malicious user with the permission to create content and upload files to perform a Cross Site Scripting XSS attack. Versions affected iTweak Upload 6.x-2.x prior to 6.x-2.3 iTweak Upload 6.x-1.x prior to 6.x-1....

6.2AI score
Exploits0References6
Drupal
Drupal
added 2010/02/17 12:0 a.m.10 views

SA-CONTRIB-2010-018 - Content Distribution - Multiple Vulnerabilities

Content Distribution module allows calling a method to delete particular nodes using a XML-RPC call. When this method is allowed to be called by anonymous users in user permissions, an attacker might delete a random node. In addition, certain actions require Content Distribution to temporarily...

6.9AI score
Exploits0References4
Drupal
Drupal
added 2010/02/10 12:0 a.m.10 views

SA-CONTRIB-2010-016 - Graphviz Filter - arbitrary code execution

Graphviz Filter does not properly filter user input via @command option in node body, leading to a possible Arbitrary Shell Code Execution vulnerability. This vulnerability allows a remote attacker with the ability to create content using a Graphviz input filter to execute an arbitrary shell code...

8AI score
Exploits0References7
Drupal
Drupal
added 2010/02/03 12:0 a.m.16 views

SA-CONTRIB-2010-013 - Menu Breadcrumb - Cross site scripting

The Menu Breadcrumb module allows to use the menu the current page belongs to as breadcrumb. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access...

6AI score
Exploits0References6
Drupal
Drupal
added 2010/02/03 12:0 a.m.13 views

SA-CONTRIB-2010-015 - Signwriter - Arbitrary code execution

The Signwriter module allows the use of TrueType fonts to replace text in headings, blocks, menus and filtered text. This vulnerability allows a remote attacker with the ability to create content using an input filter created with a Signwriter profile to execute arbitrary PHP code on an affected...

7.9AI score
Exploits0References6
Drupal
Drupal
added 2010/02/03 12:0 a.m.11 views

SA-CONTRIB-2010-014 - Node Export - Arbitrary code execution

The Node export module allows users to export and import nodes. Node export does not warn administrators that users with the "access administration pages" permission together with the "import nodes" permission can execute arbitrary PHP statements during the import operation. Versions affected Nod...

7.7AI score
Exploits0References6
Drupal
Drupal
added 2010/02/03 12:0 a.m.13 views

SA-CONTRIB-2010-012 - ODF Import - Access Bypass (possible Cross Site Scripting)

ODF Import module enables users of a Drupal site to import content created in the ODF format e.g. using OpenOffice.org. When importing content it always used an input format which might not be available to the user importing the content leading to a cross-site scripting XSS vulnerability. Such an...

6AI score
Exploits0References6
Drupal
Drupal
added 2010/01/27 12:0 a.m.18 views

SA-CONTRIB-2010-010 - Author Contact - Cross site scripting

The Author Contact module provides a form to contact the author of the current post. The module does not properly sanitize parts of the provided block, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining full administrative access. A user must...

6AI score
Exploits0References8
Drupal
Drupal
added 2010/01/27 12:0 a.m.14 views

SA-CONTRIB-2010-011 - Feedback - Cross Site Scripting

Feedback module enables users and visitors of a Drupal site to quickly send feedback messages about the currently displayed page. When displaying reports about submitted feedback, the module does not properly sanitize the user agent strings from the Browscap module before display, leading to a...

6AI score
Exploits0References8
Drupal
Drupal
added 2010/01/20 12:0 a.m.11 views

SA-CONTRIB-2010-008 - Recent Comments - Cross Site Scripting

Recent Comments module provides a high-performance, fully themable block of recent comments. This release includes a fix for a cross-site scripting XSS vulnerability in which JavaScript could be inserted in the title of the Recent Comments block via a custom block title interface. This custom tit...

5.9AI score
Exploits0References7
Drupal
Drupal
added 2010/01/20 12:0 a.m.7 views

SA-CONTRIB-2010-007 - Control Panel - Cross Site Scripting

The Control Panel module enables users to add a new graphical control panel page. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer blocks' permission are able to exploit this...

6.2AI score
Exploits0References5
Drupal
Drupal
added 2010/01/20 12:0 a.m.9 views

SA-CONTRIB-2010-009 - Block Class - Cross Site Scripting

Block Class module allows users to add classes to any block through the block's configuration interface. This release includes a fix for a cross-site scripting XSS vulnerability through which JavaScript could be inserted in the class field of a block's configuration interface. Versions affected...

5.9AI score
Exploits0References7
Drupal
Drupal
added 2010/01/13 12:0 a.m.14 views

SA-CONTRIB-2010-006 - Bibliography Module - Cross Site Scripting

The Bibliography module enables users to manage and display lists of scholarly publications. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Only users with the 'administer biblio' permission are able to exploi...

6.2AI score
Exploits0References7
Drupal
Drupal
added 2010/01/13 12:0 a.m.9 views

SA-CONTRIB-2010-004 - Node block - Cross site scripting

This module allows you to specify content types as being a block. This allows the content managers of the site to edit the block text and title without having to access the block administration page. Users only need edit access to that node in order to edit it. Users with administer block access...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2010/01/13 12:0 a.m.21 views

SA-CONTRIB-2010-005 - Own Term - Cross site scripting

The Own Term module allows users to create taxonomy terms in a designated vocabulary and when creating content this term is automatically added to the node. The module does not sanitize the term description on a term listing page which opens a cross-site scripting XSS attack. Users with a role...

6AI score
Exploits0References5
Drupal
Drupal
added 2010/01/06 12:0 a.m.15 views

SA-CONTRIB-2010-002 - Currency Exchange - Cross site scripting

This module provides a site with the ability to display currency exchange rates. The module does not sanitize some of the user-supplied data before logging it to the watchdog, leading to a cross-site scripting XSS vulnerability. Versions affected Currency Exchange version prior to 6.x-1.2 Drupal...

6AI score
Exploits0References6
Drupal
Drupal
added 2010/01/06 12:0 a.m.15 views

SA-CONTRIB-2010-001 - Wunderbar - Cross Site Scripting

The Wunderbar! module provides a floating bar with configurable buttons and the ability to link off to social networking sites. The module does not properly escape user names, potentially allowing a cross site scripting XSS attack which may lead to the user gaining full administrative access. The...

6AI score
Exploits0References6
Drupal
Drupal
added 2010/01/06 12:0 a.m.13 views

SA-CONTRIB-2010-003 - Forward - Cross site scripting

This module allows users to forward a link to a specific node on your site to a friend. The Forward module does not properly sanitize user supplied data, allowing users with the "access administration pages" and "administer forward" permissions, or users with "access administration pages" and...

5.9AI score
Exploits0References5
Drupal
Drupal
added 2009/12/30 12:0 a.m.11 views

SA-CONTRIB-2009-115 - Autocomplete Widgets for CCK Text and Number - Information Disclosure

Autocomplete Widgets module adds 2 autocomplete widgets for CCK fields of type Text and Number. The autocomplete callback implemented by this module does not honor permissions to access CCK fields, allowing users to see field values even though they are not authorized to access that information...

7.1AI score
Exploits0References5
Drupal
Drupal
added 2009/12/23 12:0 a.m.11 views

SA-CONTRIB-2009-113 - FAQ - Cross Site Scripting

The Frequently Asked Questions faq module allows users, with the appropriate permissions, to create question and answer pairs which are displayed on the 'faq' page, and in the random and recent FAQ blocks. The module does not sanitize some of the user-supplied data before displaying it, leading t...

6.2AI score
Exploits0References6
Drupal
Drupal
added 2009/12/23 12:0 a.m.12 views

SA-CONTRIB-2009-114 - Automated Logout - Cross Site Scripting

This module provides a site administrator the ability to log users out after a specified time of inactivity. The module does not sanitize some of the user-supplied data before displaying it, leading to a cross-site scripting XSS vulnerability. Users who can take advantage of this vulnerability...

6.1AI score
Exploits0References8
Drupal
Drupal
added 2009/12/16 12:0 a.m.18 views

SA-CONTRIB-2009-112 - Sections - Cross Site Scripting

The Sections module allows the creation of sections within a site. Each section has an installed template, theme or style attached to it. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Users who can take...

6.3AI score
Exploits0References7
Drupal
Drupal
added 2009/12/16 12:0 a.m.494 views

SA-CORE-2009-009 - Drupal Core - Cross site scripting

Multiple vulnerabilities were discovered in Drupal. Contact category name cross-site scripting The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the...

6.1AI score
Exploits0References11
Drupal
Drupal
added 2009/12/09 12:0 a.m.16 views

SA-CONTRIB-2009-111 - Randomizer - Cross Site Scripting

The Randomizer module assists researchers and students who want an easy way to perform random sampling or assign participants to experimental conditions. It accepts form input as parameters for generating a pseudo-random list of numbers. The module does not sanitize some of the user-supplied data...

6.3AI score
Exploits0References4
Drupal
Drupal
added 2009/11/25 12:0 a.m.15 views

SA-CONTRIB-2009-110 - Taxonomy Timer - SQL Injection

The Taxonomy Timer module enables users to set expiration dates for Taxonomy Terms. At the time of expiration other terms can be assigned, or nodes can be unpublished. In some cases the module does not properly sanitize user input, leading to a SQL Injection vulnerability. Such an attack may lead...

8.2AI score
Exploits0References7
Drupal
Drupal
added 2009/11/18 12:0 a.m.11 views

SA-CONTRIB-2009-108 - Gallery Assist - Cross Site Scripting

The Gallery Assist module provides a simple way to create image galleries on a site. The module does not sanitize node titles, leading to a Cross Site Scripting XSS vulnerability. Versions affected Gallery Assist module for Drupal 6.x prior to Gallery Assist 6.x-1.7 Drupal core is not affected. I...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2009/11/18 12:0 a.m.11 views

SA-CONTRIB-2009-107 - Ubercart - Access bypass, Cross site request forgery

Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2009/11/18 12:0 a.m.9 views

SA-CONTRIB-2009-102 - PHPList Integration Module - Cross Site Request Forgery

The PHPList module provides a basic level of integration between Drupal and the PHPList mailing list application. The Drupal Forms API protects against cross site request forgeries CSRF, where a malicious site can cause a user to unintentionally submit a form to a site where they are authenticate...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2009/11/18 12:0 a.m.13 views

SA-CONTRIB-2009-104 - Feed Element Mapper - Cross Site Scripting

Feed Element Mapper is an add-on module for FeedAPI that maps elements on a feed item such as tags, or the author name, to taxonomy or CCK fields. These mappings are configurable by a point and click interface. When configuring the mapping, some values coming from external feeds are not sanitized...

6.3AI score
Exploits0References8
Drupal
Drupal
added 2009/11/18 12:0 a.m.15 views

SA-CONTRIB-2009-106 - Agreement - Cross Site Scripting

The Agreement module enables the display of a text-based agreement think "Terms of Service" that users of a particular role must accept before they are given access to the site. The module does not sanitize some of the user-supplied fields, leading to a Cross Site Scripting XSS vulnerability...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2009/11/18 12:0 a.m.13 views

SA-CONTRIB-2009-105 - Subgroups for Organic Groups - Cross Site Scripting

The Subgroups For Organic Groups module enables users to set group hierarchy. The module does not filter the titles of some nodes before output, leading to a cross-site scripting XSS vulnerability. Versions affected Subgroups For Organic Groups versions for Drupal 5.x prior to 5.x-4.0 Drupal core...

5.5AI score
Exploits0References7
Drupal
Drupal
added 2009/11/18 12:0 a.m.11 views

SA-CONTRIB-2009-103 - Strongarm - Cross Site Scripting

The Strongarm module enables other modules to enforce variable settings programmatically. It can also be used to override any of these variables, and lets the administrator see which variables have been overridden, along with their current values. When using the settings page to see overridden...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2009/11/18 12:0 a.m.10 views

SA-CONTRIB-2009-109 - Printfriendly - Cross Site Scripting

The Printfriendly module integrates with printfriendly.com's print service. The module does not sanitize some of the user-supplied data before displaying it, leading to a Cross Site Scripting XSS vulnerability. Versions affected Printfriendly module for Drupal 6.x prior to Printfriendly 6.x-1.6...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2009/11/11 12:0 a.m.11 views

SA-CONTRIB-2009-101 - Web Services - Access Bypass

The Web Services module provides an API for other sites to communicate with a Drupal site, enabling the publishing of content, change of user information, or simply integration of a Flash application. The module fails to implement proper access checks, leading to an Access Bypass vulnerability...

7.2AI score
Exploits0References3
Drupal
Drupal
added 2009/11/11 12:0 a.m.11 views

SA-CONTRIB-2009-100 - AddToAny - Cross Site Scripting

AddToAny module provides a share button for AddToAny service for social networks. The module fails to sanitize a value in node title, leading to a Cross Site Scripting XSS vulnerability. Versions affected AddToAny module for Drupal 6.x prior to AddToAny 6.x-2.4 AddToAny module for Drupal 5.x prio...

6.3AI score
Exploits0References7
Drupal
Drupal
added 2009/11/11 12:0 a.m.11 views

SA-CONTRIB-2009-099 - RootCandy Theme - Cross Site Scripting

RootCandy is a theme specifically designed for use in the administration section. The theme fails to sanitize a URL value, leading to a Cross Site Scripting XSS vulnerability. Versions affected RootCandy theme for Drupal 6.x prior to RootCandy 6.x-1.5 Drupal core is not affected. If you do not us...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2009/11/04 12:0 a.m.17 views

SA-CONTRIB-2009-097 - Organic Groups Vocabulary - Cross Site Scripting

The Organic Groups Vocabulary module enables a vocabulary to be restricted for use to a specific Organic Group. The module does not sanitize before outputting the group title in some cases, resulting in a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user gaining...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2009/11/04 12:0 a.m.7 views

SA-CONTRIB-2009-090 - User Protect - Cross Site Request Forgery

User Protect provides various editing protection for users. The protections can be specific to a user, or applied to all users in a role. User administrators can be individually configured to be allowed to bypass the protections. The Drupal Forms API protects against cross site request forgeries...

6.8AI score
Exploits0References7
Drupal
Drupal
added 2009/11/04 12:0 a.m.14 views

SA-CONTRIB-2009-095 - Smartqueue OG - Access Bypass

The Smartqueueog module uses Nodequeue's Smartqueue API to provide a Nodequeue for organic groups which is editable by members of that group or the group's administrators. Users with the "administer nodequeue" permission have the option to batch create subqueues individual instances of a queue fo...

6.8AI score
Exploits0References6
Drupal
Drupal
added 2009/11/04 12:0 a.m.15 views

SA-CONTRIB-2009-098 - Zoomify - Cross Site Scripting

The Zoomify module integrates the Zoomify Flash applet into Drupal which can be used to pan and zoom on large images. Images are first preprocessed in order for Zoomify to work. The module fails to sanitize a value in the node title, leading to a Cross Site Scripting XSS vulnerability. Versions...

6.4AI score
Exploits0References7
Drupal
Drupal
added 2009/11/04 12:0 a.m.13 views

SA-CONTRIB-2009-091 - Node Hierarchy - Cross Site Scripting

The Node Hierarchy module enables a site administrator to arrange their site into a tree-like structure. When displaying the list of children for a node the module does not properly sanitize the titles of the child nodes before outputting them, leading to a cross-site scripting XSS vulnerability...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2009/11/04 12:0 a.m.13 views

SA-CONTRIB-2009-096 - Link - Cross Site Scripting

The Link module provides a CCK field which enables links to be added to content types, that can include a URL, title, and target attribute. When using the "Separate title and URL" formatter supplied by the module, the link title field is not sanitized before being displayed, leading to a Cross Si...

6.3AI score
Exploits0References7
Drupal
Drupal
added 2009/11/04 12:0 a.m.16 views

SA-CONTRIB-2009-094 - NGP COO/CWP Integration (crmngp) - Multiple Vulnerabilities

The NGP COO/CWP Integration module provides Drupal integration with the NGP Software API for efficient campaign management. An administration page did not properly implement access control thereby allowing untrusted users to view module log information. User-supplied information was not filtered ...

5.5AI score
Exploits0References7
Drupal
Drupal
added 2009/11/04 12:0 a.m.12 views

SA-CONTRIB-2009-093 - Temporary Invitation - Cross Site Scripting

The Temporary Invitation module enables site users to invite guests for a limited timespan. For each invitation, a new user is created, together with a login code e.g. "EbN2F3" that the user can use to log in. The module fails to sanitize a value in Name field which is included in the invitation,...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2009/11/04 12:0 a.m.9 views

SA-CONTRIB-2009-092 - S5 Presentation Player Cross Site Scripting

The S5 Presentation Player module enables the creation of an S5 slideshow using content from the site. The module does not properly sanitize user supplied text it includes in the HTML HEAD section, leading to a cross-site scripting XSS vulnerability. Such an attack may lead to a malicious user...

5.9AI score
Exploits0References6
Total number of security vulnerabilities1940