1940 matches found
Admin Audit Trail - Less critical - Denial of Service - SA-CONTRIB-2025-068
The Admin Audit Trail module tracks logs of specific events that you'd like to review. When the submodule Admin Audit Trail: User Authentication is enabled, it logs user authentication events login, logout, and password reset requests. The module does not sufficiently limit some large values befo...
Commerce Alphabank Redirect - Moderately critical - Access bypass - SA-CONTRIB-2025-067
This module enables you to pay for Commerce order to an environment provided and secured by the bank The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed...
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064
This module provides a block to easily display a rendered node. The module doesn't check access to content before displaying it to a visitor, allowing unauthorized users to retrieve a list of labels of all nodes...
Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066
This module enables you to pay for Commerce order to an environment provided and secured by the bank The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed...
Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065
This module provides a block to easily display a rendered node. Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node...
Single Content Sync - Moderately critical - Access bypass - SA-CONTRIB-2025-060
This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly. While the export feature rightfully bypasses...
Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059
The Events Log Track module enables you to log specific events on a Drupal site. The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack...
Piwik PRO - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-058
This module enables you to add the Piwik Pro web statistics tracking system to your website. The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website. This vulnerability...
One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-061
This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent one time login links from bypassing TFA. This vulnerability is mitigated by the fact that an attacker must have access to an email accou...
Advanced File Destination - Critical - Multiple vulnerabilities - SA-CONTRIB-2025-057
The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads. The module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The projec...
One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063
This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent the same TFA token within a 30 second window. This vulnerability is mitigated by the fact that an attacker must obtain a valid...
One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-062
This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes. A new requirements check has been added to the status report so other...
COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049
The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent. The cookiesassetinjector module a sub-module of the COOKiES module also allows inline JavaScript to be included in consent management. However, this...
IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051
This module enables you to add a filter to text formats Full HTML, Filtered HTML, which will remove every iframe where the "src" is not on the allowlist. The module doesn't sufficiently filter these iframes in certain situations. This vulnerability is mitigated by the fact that an attacker must b...
Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050
Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability ...
oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048
This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for...
Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056
The module enables you to add second-factor authentication in addition to the default Drupal login. The module does not sufficiently ensure that known login routes are protected. This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password...
Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047
The Restrict route by IP module provides an interface to manage route restriction by IP address. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability is mitigated by the fact that you need to know the route machine name...
Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054
The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently protect certain routes from Cross Site Request Forgery CSRF attacks...
Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055
The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently protect certain sensitive routes, allowing an attacker to view or modify various TFA-related settings...
Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052
The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods. This vulnerability is mitigated by the fact that an attacker must...
Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053
The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't invoke two factor authentication 2FA for the password reset option. This vulnerability is mitigated by the fact that an attacker must have access to the password reset link...
Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043
Block Class enables you to add custom attributes to blocks. The module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute. This vulnerability is mitigated by the fact that an attacker must have a ro...
UEditor - 百度编辑器 - Critical - Unsupported - SA-CONTRIB-2025-044
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Sportsleague - Critical - Unsupported - SA-CONTRIB-2025-045
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042
This module enables you to put a site wide bootstrap themed alert message on the top of every page. The module doesn't sufficiently filter text input when leading to a possible XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administ...
Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041
Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page. The Colorbox module doesn't sufficiently sanitize data attributes before opening modals. This vulnerability is mitigated by the fact that an attacker must have a role with...
Search API Solr - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-046
This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability is mitigated by the fact that a site admin would have to perform further steps afte...
baguetteBox.js - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-034
The baguetteBox.js module provides integration with baguetteBox.js library. The module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability...
Panelizer (obsolete) - Critical - Unsupported - SA-CONTRIB-2025-036
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035
Stage File Proxy is a general solution for getting production files on a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources. This...
Simple GTM - Critical - Unsupported - SA-CONTRIB-2025-037
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Google Optimize - Critical - Unsupported - SA-CONTRIB-2025-039
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Google Maps: Store Locator - Critical - Unsupported - SA-CONTRIB-2025-038
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Panels - Critical - Access bypass - SA-CONTRIB-2025-033
Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages. The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission. This vulnerability is...
Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032
Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters. The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Libra...
WEB-T - Moderately critical - Access bypass, Denial of service - SA-CONTRIB-2025-030
This module enables you to translate nodes, configuration, UI strings automatically. The module doesn't sufficiently validate the incoming API response when using eTranslation integration, which has an asynchronous workflow. Specially crafted requests could overwrite entities and translations of...
ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-031
This module enables you to define automations on your Drupal site. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability can be mitigated by disabling the "ecaui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be...
TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-027
This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs...
Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029
This module enables you to obfuscate email addresses, to avoid them being easily available to spammers. The module doesn't sufficiently sanitise input when ROT13 encoding is used. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML...
Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028
This module enables users to log in using a short access code instead of providing a username/password combination. The module doesn't sufficiently protect against brute force attacks to guess a user's access code. This vulnerability is mitigated by the fact that access code based logins are off ...
RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025
This module can be used to render Open API Documentation using the RapiDoc library. The module provides a custom formatter for link fields. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal cor...
Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024
This module adds a formatter for link fields that displays the current entity with another view mode inside the link. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal core has been released bu...
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004
Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit acce...
Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026
Formatter Suite provides a suite of field formatters to help present numbers, dates, times, text, links, entity references, files, and images. The module provides a custom formatter for link fields. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site...
Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur. This vulnerabili...
AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021
The AI Automators module a submodule of AI enables you to create different automated tasks that fills out field data using LLM outputs. The module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrar...
AI (Artificial Intelligence) - Moderately critical - Gadget Chain - SA-CONTRIB-2025-022
The AI Automators module a submodule of AI enables you to create different automated tasks that fills out a field data using LLM outputs. The module contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Deletion. It may be...
General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018
The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when creating tasks...