SA-CONTRIB-2009-014 - CCK Field Privacy - Access Bypass

CCK Field Privacy was incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls for the administrative pages are by-passed for unprivileged users. This may allow users to change permissions on fields and lead to exposure of private content. Versions affect...

SA-CONTRIB-2009-011 Tasklist - SQL injection and Cross site scripting

Tasklist does not properly use the Drupal database API and inserts values from the URL directly into queries. This can be exploited to perform SQL Injection attacks. These attacks may lead to a malicious user gaining full administrator access. In addition, Tasklist allows users to add CSS to page...

SA-CONTRIB-2009-012 - Printer, e-mail and PDF versions - Unrestricted e-mailing (spam)

The "Send by e-mail" module, part of the "Printer, e-mail and PDF versions" project, allows users to send e-mail messages while viewing content on the site. This module was found to have multiple vulnerabilities. Unrestricted e-mailing spam Due to improper use of Drupal's flood control API, it is...

SA-CONTRIB-2009-010 Plus 1 - Cross-site request forgery

The Plus 1 module provides a voting widget for content that records votes using Ajax. The URL for voting is vulnerable to cross-site request forgeries CSRF making it possible for users to unknowingly vote for content. Versions affected Versions of Plus 1 prior to 6.x-2.6 Drupal core is not...

SA-CONTRIB-2009-013 CCK - Cross site scripting

The Node reference and User reference sub-modules, which are part of the Content Construction Kit CCK project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate...

SA-CONTRIB-2009-009 Forward module can be used as a spam relay

This vulnerability allows spammers or spambots to use sites with the Forward module installed to send nearly unlimited e-mail. Due to improper use of Drupal's flood control API, it is possible for one user to send an unlimited numbers of mails using the forward module. Important note : the securi...

SA-CONTRIB-2009-008 - Taxonomy Theme - Cross site scripting

The Taxonomy Theme module allows a website adminstrator to change the theme of a given content item based on taxonomy, vocabulary or content type. It does not properly sanitize user-supplied data on a number of places. This allows users with the "administer taxonomy" permission, or, when tagging ...

SA-CORE-2009-003 - Local file inclusion on Windows

This vulnerability exists on Windows, regardless of the type of webserver Apache, IIS used. The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn't take into account how Windows arrives at a canonicalized path...

SA-CORE-2009-004 - Local file inclusion on Windows

Reference: SA-CORE-2009-003 6.x This vulnerability exists on Windows, regardless of the type of webserver Apache, IIS used. The Drupal theme system takes URL arguments into account when selecting a template file to use for page rendering. While doing so, it doesn't take into account how Windows...

SA-CONTRIB-2009-007 - Advertisement Cross-site scripting

The Advertisement module displays and tracks advertisements on Drupal websites. Unsanitized text is displayed in several places, allowing users with "administer advertisements" permissions to execute arbitrary code. Users with "administer advertisements" permissions have the ability to configure...

SA-CONTRIB-2009-006 - Troll - Cross site request forgeries

The Troll module provides management tools for community sites to deal with badly behaved users, known as "trolls", including banning users by IP address, advanced user searching, and blocking users by role. The module does not properly implement the Drupal Form API which makes it vulnerable to...

SA-CONTRIB-2009-005 - Views bulk operations - Cross site scripting

Views bulk operations augments Views by enabling bulk operations to be executed on the content displayed by a view. Views bulk operations does not properly escape user-supplied data on some pages, allowing malicious users to insert arbitrary HTML and script code into these pages. Such a cross sit...

SA-CONTRIB-2009-004 - Notify - Privilege escalation

A user triggering the cron processing of the Notify module may end up getting logged in as another user when the Notify operations do not complete succesfully. Versions Affected Versions of Notify for Drupal 5.x prior to 5.x-1.2 Drupal core is not affected. If you do not use the Notify module,...

SA-CORE-2009-001 Drupal core - Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal. Access Bypass The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content a node. In that process the existing node's content is copied into the new node's submission form. The...

SA-CONTRIB-2009-003 - Internationalizaion (i18n) Translation module - Access bypass

The third-party i18n module enables users to make a translation of an existing item of content a node. In that process the existing node's content is copied into the new node. The module contains a flaw that allows a user with the 'translate node' permission to potentially bypass normal viewing...

SA-CONTRIB-2009-001 - Project release - Multiple vulnerabilities

Exploitable from: Remote Vulnerabilities: Arbitrary file upload, Cross-site scripting XSS The Project release module is a component within the broader Project module. This announcement covers the following two issues: 1. Project release enables file attachments to create a specific version of cod...

SA-CONTRIB-2009-002 - Project issue tracking - Multiple vulnerabilities

This announcement covers the following two issues for the Project issue tracking module. 1. Under certain conditions, users may receive email updates for issues which they do not have proper access rights to. This issue is mainly a problem for sites that use a contributed node access module,...

SA-2008-074 - Services - Insecure signing

Services is a module which provides an API for exposing Drupal functions. It allows clients to remotely call methods on the server and return the requested data for local processing. The module doesn't sign enough of the information that passes through it and uses an insecure hash for signing a...

SA-2008-075 - Views - SQL Injection

The Views module provides a flexible method for Drupal site designers to control how lists of content are presented. When using an exposed filter on CCK text fields with allowed values, Views does not filter the data correctly. This may allow malicious users to conduct SQL injection attacks again...

SA-2008-073 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal. Cross site request forgery The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser user 1 to execute old updates that may damage the database. Cross site scripting When an input...

SA-2008-072 - Storm Project - SQL injection

Storm SpeedTech Organization and Resource Manager is a project management application for Drupal. Unfortunately the Storm module allows users with access to the storm projects to enter input values which are then used directly in SQL queries without being sanitized, enabling SQL injection attacks...

SA-2008-071 - User Karma - Multiple vulnerabilities

The User Karma module displays and manages karma points of users. How karma points are calculated is defined by other modules which hook into the User Karma module. Unfortunately the User Karma module allows administrators to enter a list of content types and voting API values which are then used...

SA-2008-070 - Comment Mail - Cross site request forgery

The Comment Mail module allows an email to be sent to the site administrators when new comments are posted. Links in the email allow for quick approval, editing, deletion of the comment and/or banning of the poster's IP address. Unfortunately some links are vulnerable to cross site request...

SA-2008-069 - CCK for 5.x and 6.x - XSS vulnerabilities

The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using a web browser. Some field labels and content-type names are displayed without appropriate filtering in the administrative interface. Malicious users with the "administer content" permissio...

SA-2008-067 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal. File inclusion On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory. This bug affects both Drupal 5 and Drupal 6. Cross site scriptin...

SA-2008-068 - Localization client and Localization server - Cross site request forgery

The Localization client module allows you to translate the interface of your Drupal site from within each page as you go. The Localization server module provides a community translation interface for translating Drupal modules and themes and is primarily used by Drupal translation teams. The serv...

SA-2008-066 - Shindig-Integrator - Multiple vulnerabilities

Shindig-Integrator integrates the open social Shindig container with Drupal. The module contains numerous flaws. Among them are the following issues. Malicious users are able to insert arbitrary HTML and script code into certain module generated pages. Such a Cross site scripting vulnerability ca...

SA-2008-065 - Node Clone - Access bypass

The third-party Node Clone module enables users to make a copy of an existing item of content a node, and then edit that copy. The module contains a flaw that allows a user with the 'clone node' permission to potentially bypass normal viewing access restrictions, for example allowing the user to...

SA-2008-064 - Node Vote - SQL injection vulnerability

The Node Vote module allows authorized users to vote on certain types of nodes. If the administrator has enabled the "Allow user to vote again" setting for the Node Vote module, malicious user can inject SQL when changing a previously cast vote. This is because Node Vote does not properly use the...

SA-2008-063 - multiple third party modules - Access bypass due to incorrect Drupal 6 updates

Several contributed modules were incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls are likely to be by-passed by unprivileged users. In some cases, this includes access to the administrative functions of these modules, or access to content the user...

SA-2008-062 - SIOC - access bypass

The SIOC Semantically-Interconnected Online Communities project is an open specification for describing communities using online discussion forums or blogs, the module allows Drupal sites to attach metadata to users, posts, comments etc. in line with this specification. The module doesn't impleme...

SA-2008-060 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal. File upload access bypass A logic error in the core upload module validation allowed unprivileged users to attach files to content. This bug affects Drupal 6.x only. Users can view files attached to content which they do not...

SA-2008-061 - Everyblog - Multiple vulnerabilities

The module does not follow Drupal best practices for database queries and handling of user submitted data, leading to a number of vulnerabilities. Of special concern is that an unprivileged user may become logged in to the account of an existing user, including an administrator. Versions Affected...

SA-2008-059 - Brilliant Gallery - SQL Injection and Cross Site Scripting

The Brilliant Gallery module allows users to publish photos in galleries. Two vulnerabilities were found in the module. SQL Injection Brilliant Gallery does not properly use the Drupal database API and inserts values from URLs directly into queries. This can be exploited to perform SQL Injection...

SA-2008-058 - Brilliant Gallery - SQL Injection

The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with the "access brilliantgallery" permission to perform SQL Injection attacks. These attacks may lead to the malicious user gaining...

SA-2008-057 - Ajax Checklist - Multiple vulnerabilities

The Ajax Checklist module implements a filter that allows a user to include checkboxes into content. The module does not properly use Drupal's database API and inserts values supplied by users directly into queries. This can be exploited by malicious users with the "update ajax checklists"...

SA-2008-054 - Plugin Manager - Access bypass

The Plugin Manager module provides the methods and graphical interfaces needed to automatically install new modules and themes from the Drupal.org website. An oversight in the menu permissions code allows any user to uninstall and remove modules installed with the Plugin Manager. This risk is onl...

SA-2008-055 - Stock - Cross site scripting

The stock module provides the ability to query price quotes and trading volumes from various stock markets. An oversight in the menu permissions code allows any user to change the text of the heading at the top of the stock quotes page. As this text is not escaped, it is safe only for an...

SA-2008-056 - Simplenews - Cross site scripting

Simplenews publishes and sends newsletters to lists of subscribers. Newsletter categories are not always properly escaped. This allows users with the "administer taxonomy" permission to add arbitrary HTML and script code to the site. Wikipedia has more information about such cross site scripting...

SA-2008-053 - Answers - Cross site scripting

The Answers module allows a site owner to add a Questions & Answer section to the site. Unfortunately, the module does not properly escape text, which allows malicious users who are able to post answers to insert arbitrary HTML and scripts into a page. Wikipedia has more information about such...

SA-2008-052 - Link To Us - Cross site scripting

The Link To Us module creates a page to display uploaded banners that can be used by others to link to your Drupal site. The module will create well formed SEO links with full title, alt and anchor text determined by the node title, taxonomy term or other pages that are directed to the module...

SA-2008-049 - Talk - Multiple vulnerabilities

The Talk module for Drupal 5.x and 6.x creates a "Talk" tab for nodes in which the comments belonging to the node are displayed. Two vulnerabilities and weaknesses were discovered in the contributed Talk module. Cross site scripting The node title is treated as if it was safe text, and is not...

SA-2008-050 - Mailhandler - SQL injection

The Mailhandler module allows users to create or edit nodes and comments via email. One vulnerability was found in the module. SQL Injection Mailhandler does not properly use the Drupal database API and inserts values from mails directly into queries. This can be exploited to perform SQL Injectio...

SA-2008-051 - Mailsave - Cross site scripting

Mailsave is a module that is designed to interact with mailhandler. It will detach files that are emailed to the site and save them with the node. The module trusts the mimetype that is send with the file enabling malicious users with the ability to upload files to execute cross site scripting...

SA-2008-048-b - CCK - Cross site scripting

Update This security announcement is an update of the SA-2008-048 announcement which advised to upgrade CCK for Drupal 5.x to 5.x-1.8. You should now upgrade CCK for Drupal 5.x to 5.x-1.9. The Content Construction Kit CCK allows certain privileged users to add custom fields to content types using...

SA-2008-047 - Drupal core - Multiple vulnerabilities

Multiple vulnerabilities and weaknesses were discovered in Drupal. Cross site scripting A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages cross site scripting or XSS. A bug in the private filesystem trusts the MIME type sent by th...

SA-2008-046 - Drupal core - Session fixation

When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not...

SA-2008-036 - Profile search - SQL Injection

The Profile search module provides a way for users to search users by all profile fields, as provided by the profile module in core. Numerous values are used in SQL strings without being properly sanitized. Users with the "access user profiles" permission can use these values to execute SQL...

SA-2008-044 - Drupal core - Multiple vulnerabilities

Multiple vulnerabities and weaknesses were discovered in Drupal. Neither of these are readily exploitable. Cross site scripting Free tagging taxonomy terms can be used to insert arbitrary script and HTML code cross site scripting or XSS on node preview pages. A successful exploit requires that th...

SA-2008-045 - OpenID - Multiple vulnerabilities

The OpenID module for Drupal 5.x allows uses to create an account or log into a Drupal site using one or more OpenID identities. Find out more about OpenID at http://openid.net. Two vulnerabilities and weaknesses were discovered in the contributed OpenID module. Cross site scripting Some...