SA-2007-030 - Drupal Core - API handling of unpublished comment.

The publication status of comments is not passed during the hookcomments API operation, causing various modules that rely on the publication status such as Organic groups, or Subscriptions to mail out unpublished comments. Versions affected Drupal 4.7.x before version 4.7.8 Drupal 5.x before...

SA-2007-026 - Drupal Core - Cross site scripting via uploads

The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file. Revoking upload permissions or removing the .html extension from the allowed extensi...

SA-2007-022 - Boost - file overwrite

The Boost module provides a static file-based cache of Drupal pages for anonymous users. A vulnerability allows an attacker to create or overwrite any filename in any directory that the web server can write to. The affected file will always contain the fully rendered HTML for a single Drupal page...

SA-2007-021: Project issue tracking - XSS vulnerabilities in subscription forms.

The Project issue tracking module provides a subscription functionality enabling users to sign up for e-mail notification of issue updates. The subscriptions can be edited on both an individual or overview form. Users who have permissions to create or edit projects may be able to inject arbitrary...

Project and Project issue tracking - Access bypass

The Project and Project issue tracking modules provide a series of permissions to control access to projects and issues: "access projects", "access own projects", "access project issues" and "access own project issues". While these permissions correctly prevent users from viewing the entire proje...

Content Construction Kit - Cross site scripting

The Content Construction Kit CCK allows site admins to create and customize node fields. The Nodereference module included in the CCK bundle defines fields referencing other nodes. Two cross-site scripting XSS vulnerabilities were discovered : when a nodereference field is displayed using the...

Drupal core - Cross site request forgeries

Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit...

Drupal core - Multiple cross site scripting vulnerabilities

Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website. Custom content type names...

LoginToboggan - Cross site scripting

The LoginToboggan module provides several modifications of the Drupal login system. One of the features is a block that can be enabled on the site to display the currently logged in user with a "Log out" link. If a user is able to insert JavaScript into their username, they would be able execute ...

Print - Access bypass

Print is a module that allows site administrators to produce a "print friendly" version of a posting. By manipulating URL arguments, authenticated and anonymous users are able to access posts that should have been restricted by a node access module such as Organic Groups, Taxonomy Access Control,...

Forward - Access bypass

The Forward module is a module that allows site administrators to add links to postings that let users email the current page to a third party. By manipulating URL arguments, authenticated and anonymous users are able to access posts that should have been restricted by a node access module such a...

Multiple vulnerabilities in Database Administration (dba) module

The Database Administration dba module allows site administrators with sufficient privileges to view and directly modify the Drupal database tables for a site. Numerous cross-site scripting XSS vulnerabilities were discovered when the administrator runs queries to display data from the database,...

Project issue tracking - Access bypass

If a remote user knows the node identifier of an issue that has been marked private using a node access module simpleaccess, nodeprivacybyrole, etc, they can use a specially crafted URL to view the contents of the node, regardless of their own privileges. All that is required is the "access proje...

Nodefamily - Access bypass

Nodefamily is needed for building user profiles with the nodeprofile module. By manipulating URL arguments, authenticated users are able to access and modify the profile of other users. Versions affected Nodefamily for Drupal 5.x before 5.x-1.0 Nodefamily for 4.7.x is not affected. Drupal core is...

Secure site - Access bypass

Secure site allows one to protect a website with a browser-based password. These usernames and passwords are tied directly to the Drupal user database. The site will be invisible to search engines and other crawlers, but still allows access to certain users. A serious design flaw allows the acces...

getID3 library and Audio, Mediafield - arbitrary code execution

The getID3 library used by Audio and Mediafield contains a directory with scripts demonstrating use of the library. These scripts allow any visitor to browse the filesystem, read and delete files or write to zero-byte files or files with an mp3 extension. These actions are only limited by the...

Image pager - Cross site scripting

The Image Pager module uses JavaScript to collect selected images from a page and display them one at a time in a block with previous/next pager links. HTML entities are decoded by the DOM functions used by Image Pager before being reinserted into the web page for display. As a result, a maliciou...

Textimage - response validation bypass

Captcha validation by Textimage can be bypassed by manipulating request variables while posting. This defeats the purpose of the captcha and makes automated submission possible. Versions affected All versions of Textimage 4.7.x prior to Textimage 4.7-1.2. All versions of Textimage 5.x prior to...

Captcha - response validation bypass

Captcha validation can be bypassed by manipulating request variables while posting or by providing certain incorrect responses. This defeats the purpose of the captcha and makes automated submission possible. Versions affected All versions of Captcha 4.7.x prior to Captcha 4.7-1.2. All versions o...

DRUPAL-SA-2007-005 - Drupal core - Arbitrary code execution

Previews on comments were not passed through normal form validation routines, enabling users with the 'post comments' permission and access to more than one input filter to execute arbitrary code. By default, anonymous and authenticated users have access to only one input format. Immediate...

Acidfree - SQL injection

Under certain circumstances, node titles are not escaped before being used in an SQL query, allowing a malicious user with the 'create acidfree albums' privilege and the ability to create acidfree content, to execute an SQL injection attack. These attacks may lead to administrator access. Version...

Project and Project issue tracking - Multiple vulnerabilities

Multiple vulnerabilities have been discovered and fixed in the Project and Project issue tracking modules: Access bypass in Project issue tracking Due to an error in the projectissueaccess function, users with the 'Access project issues' permission would have full access to all issues on a site,...

Drupal core - Denial of service

The way page caching was implemented allows a denial of service attack. An attacker has to have the ability to post content on the site. He or she would then be able to poison the page cache, so that it returns cached 404 page not found errors for existing pages. If the page cache is not enabled,...

Drupal core - Cross site scripting

A few arguments passed via URLs are not properly sanitized before display. When an attacker is able to entice an administrator to follow a specially crafted link, arbitrary HTML and script code can be injected and executed in the victim's session. Such an attack may lead to administrator access i...

MySite - Cross site scripting

Data is not properly sanitised before being used in titles. This can be exploited to insert and execute arbitrary HTML and script code in a user's browser session in the context of an affected site. This may lead to administrator access if certain conditions are met. Learn more about cross site...

Project and Project issue tracking XSS

Several fields are not passed through checkplain on display. A malicious user could use these fields to insert and execute XSS Cross Site Scripting. This may lead to administrator access if certain conditions are met. Additionally, certain error messages are generated that include potentially...

Chatroom - Security bypass

The contributed module Chatroom broadcasts session ids of chatroom visitors to all participants in a room. Using those IDs, an attacker is able to hijack the session of those participants and gain their privileges on the site. Additionally, messages supposed to be private are displayed in the las...

Help Tip - Multiple vulnerabilities

The contributed module Help Tip bypasses Drupal's database API and uses user-supplied data unescaped in queries, allowing malicious users to execute SQL injection attacks. These attacks may lead to administrator access. Node titles are not properly sanitised before being used in block titles. Thi...

CVS management/tracker XSS

The motivation field of the CVS application page is not passed through checkmarkup on display. A malicious user may use this field to insert and execute XSS Cross Site Scripting. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Revoking the...

Extended Tracker - SQL Injection

The contributed module Extended Tracker xtracker accepts parameters from URLs and uses those unescaped in SQL queries, allowing malicious users to execute SQL injection attacks. This may result in them gaining administrator privileges. Versions affected Please check the CVS $Id$ fields in the fil...

DRUPAL-SA-2006-024 - Drupal core - Multiple cross site scripting vulnerabilities

Multiple XSS cross site scripting vulnerabilities have been discovered. A bug in input validation and lack of output validation allows HTML and script insertion on several pages. Drupal's XML parser passes unescaped data to watchdog under certain circumstances. A malicious user may execute an XSS...

DRUPAL-SA-2006-026 - Drupal core - Form action attribute injection

A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible...

DRUPAL-SA-2006-025 - Drupal core - Cross site request forgeries

Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a websit...

IMCE file handling vulnerabilities

IMCE has two vulnerabilities with regards to file handling. 1. By passing relative paths to IMCE's delete function, a malicious user with the "delete files" permission can delete files anywhere in the directory tree depending on the access permissions of the webserver. 2. IMCE allows the upload...

Search Keywords cross site scripting vulnerability

It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Drupal core is not affected. If you do not use the...

Site Profile Directory cross site scripting vulnerability

It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Drupal core is not affected. If you do not use the Sit...

Userreview cross site scripting vulnerability

It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Drupal core is not affected. If you do not use the...

Pubcookie security bypass

It is possible for a malicious user to spoof a user's identity by bypassing the login redirection mechanism in the pubcookie module. The malicious user may gain the privileges of the user they are spoofing, including the administrative user. Versions affected Drupal core is not affected. If you d...

Pathauto cross site scripting vulnerability

It is possible for a malicious user to execute XSS Cross Site Scripting by enticing a victim to click on a specially crafted link. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. Versions affected Please check the CVS $Id$ fields in the file...

E-commerce Cross site scripting vulnerability

It is possible for a malicious user with the 'create products' permission to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. The create products permission is...

Easylinks multiple vulnerabilities

Unescaped input is used directly in queries, allowing malicious users to execute SQL injection attacks. This may result in administrator privileges. It is also possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to...

Revision to DRUPAL-SA-2006-013 - Recipe

It is possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output from the contributed Recipe module. This may lead to administrator access if certain conditions are met. Learn more about XSS on Wikipedia. This is a revision to...

DRUPAL-SA-2006-015: Multiple vulnerabilities in Bibliography

Unescaped input is used directly in queries, allowing malicious users to execute SQL injection attacks. This may result in administrator access. It is also possible for a malicious user to insert and execute XSS Cross Site Scripting, due to lack of validation on output. This may lead to...

DRUPAL-SA-2006-012: Jobsearch module

It is possible for a malicious user to inject SQL while searching for jobs or resumes using the Job Search module. Versions affected Please check the CVS $Id$ field in the file job.module to determine whether the version you are running is vulnerable. All 4.6 versions older than the following are...

DRUPAL-SA-2006-013: Recipe module

It is possible for a malicious user to insert and execute XSS, due to lack of validation on output. Versions affected Please check the CVS $Id$ field in the file recipe.module to determine whether the version you are running is vulnerable. Versions older than the following are vulnerable: // $Id:...

DRUPAL-SA-2006-011 XSS Vulnerability in user module

A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link. Versions affected Drupal 4.6.x versions before Drupal 4.6.9 Drupal 4.7.x versions before Drupal 4.7.3 Solution If you are running Drupal 4.6.x then upgrade to Drupal...

XSS vulnerability in webform module

It is possible for a malicious user to insert and execute XSS into webform pages, due to lack of validation on output. Versions affected All webform 4.6 and 4.7 versions prior to July 8, 2006. Drupal core is not affected. If you do not use the webform module, there is nothing you need to do...

Form_mail module allows arbitrary header injection

Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to sites being used to send unwanted email. Versions affected formmail versions prior to revision 1.8.2.2 on 27.6.2006 Drupal cor...

DRUPAL-SA-2006-008 XSS Vulnerability in taxonomy module

It is possible for a malicious user to insert and execute XSS into terms, due to lack of validation on output of the page title. The fix wraps the display of terms in checkplain. Versions affected - Drupal 4.6.x versions before Drupal 4.6.8. - Drupal 4.7.x versions before Drupal 4.7.2. Solution...

SA-2006-007 - Drupal Core - Revision to DRUPAL-SA-2006-006

Recently, the Drupal security team was informed of a potential exploit that would allow untrusted code to be executed upon a successful request by a malicious user. If a dynamic script with multiple extensions such as file.php.pps or file.sh.txt is uploaded and then accessed from a web browser...