Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
•added 2025/05/21 12:0 a.m.•26 views

Admin Audit Trail - Less critical - Denial of Service - SA-CONTRIB-2025-068

The Admin Audit Trail module tracks logs of specific events that you'd like to review. When the submodule Admin Audit Trail: User Authentication is enabled, it logs user authentication events login, logout, and password reset requests. The module does not sufficiently limit some large values befo...

6.5CVSS7.2AI score0.00267EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/21 12:0 a.m.•15 views

Commerce Alphabank Redirect - Moderately critical - Access bypass - SA-CONTRIB-2025-067

This module enables you to pay for Commerce order to an environment provided and secured by the bank The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed...

8.8CVSS6.7AI score0.00271EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/21 12:0 a.m.•16 views

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-064

This module provides a block to easily display a rendered node. The module doesn't check access to content before displaying it to a visitor, allowing unauthorized users to retrieve a list of labels of all nodes...

5.3CVSS6.6AI score0.00229EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/21 12:0 a.m.•22 views

Commerce Eurobank (Redirect) - Moderately critical - Access bypass - SA-CONTRIB-2025-066

This module enables you to pay for Commerce order to an environment provided and secured by the bank The module doesn't sufficiently verify the payment status on canceled orders. An attacker can issue a specially crafted request to update the order status to completed...

8.8CVSS6.7AI score0.00271EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/21 12:0 a.m.•16 views

Quick Node Block - Moderately critical - Access bypass - SA-CONTRIB-2025-065

This module provides a block to easily display a rendered node. Access to the rendered node isn't validated before rendering the block. Allowing access to node content for users that would normally not be allowed to access the node...

5.3CVSS6.6AI score0.00229EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•23 views

Single Content Sync - Moderately critical - Access bypass - SA-CONTRIB-2025-060

This module enables you to seamlessly migrate and deploy content across environments, eliminating manual steps. It simplifies the process by exporting content to a YML file or a ZIP archive, which can be imported into another environment effortlessly. While the export feature rightfully bypasses...

3.1CVSS6.6AI score0.00186EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•15 views

Events Log Track - Moderately critical - Denial of Service - SA-CONTRIB-2025-059

The Events Log Track module enables you to log specific events on a Drupal site. The module doesn't sufficiently mitigate resource consumption for certain requests which allows a Denial of Service attack...

7.5CVSS6.7AI score0.0034EPSS
Exploits0References3
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•24 views

Piwik PRO - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-058

This module enables you to add the Piwik Pro web statistics tracking system to your website. The module does not check the JS code that is loaded on the website. So a user with the "Administer Piwik Pro" permission could configure the module to load JS from a malicious website. This vulnerability...

4.8CVSS6.7AI score0.00189EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•18 views

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-061

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent one time login links from bypassing TFA. This vulnerability is mitigated by the fact that an attacker must have access to an email accou...

4.8CVSS7AI score0.00217EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•7 views

Advanced File Destination - Critical - Multiple vulnerabilities - SA-CONTRIB-2025-057

The Advanced File Destination module enhances file upload management in Drupal by allowing users to choose and create custom directories during file uploads. The module has multiple vulnerabilities that were reported through the Drupal Security Team's coordinated vulnerability process. The projec...

5.6AI score
Exploits0References1
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•20 views

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-063

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent the same TFA token within a 30 second window. This vulnerability is mitigated by the fact that an attacker must obtain a valid...

4.8CVSS7AI score0.00217EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/14 12:0 a.m.•19 views

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-062

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes. A new requirements check has been added to the status report so other...

4.8CVSS7.3AI score0.00267EPSS
Exploits1References2
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•22 views

COOKiES Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-049

The COOKIES module protects users from executing JavaScript code provided by third parties, e.g., to display ads or track user data without consent. The cookiesassetinjector module a sub-module of the COOKiES module also allows inline JavaScript to be included in consent management. However, this...

6.1CVSS6.6AI score0.00195EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•15 views

IFrame Remove Filter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-051

This module enables you to add a filter to text formats Full HTML, Filtered HTML, which will remove every iframe where the "src" is not on the allowlist. The module doesn't sufficiently filter these iframes in certain situations. This vulnerability is mitigated by the fact that an attacker must b...

6.1CVSS6.8AI score0.00238EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•23 views

Klaro Cookie & Consent Management - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-050

Klaro Cookie & Consent Management module is used for consent management for cookies and external sources. It makes changes to the markup to enable or disable loading. The module doesn't sufficiently sanitize data attributes allowing persistent Cross Site Scripting XSS attacks. This vulnerability ...

6.1CVSS5.8AI score0.00195EPSS
Exploits0References1
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•38 views

oEmbed Providers - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-048

This module extends the core Media module and allows site creators to permit oEmbed providers in addition to YouTube and Vimeo, which are deemed trustworthy by the Drupal Security Team. The module doesn't sufficiently mark its administrative permission as restricted, creating the possibility for...

6.1CVSS5.8AI score0.00195EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•10 views

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-056

The module enables you to add second-factor authentication in addition to the default Drupal login. The module does not sufficiently ensure that known login routes are protected. This vulnerability is mitigated by the fact that an attacker must obtain the user's username and password...

7.4CVSS5.6AI score0.00324EPSS
Exploits0References3
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•28 views

Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

The Restrict route by IP module provides an interface to manage route restriction by IP address. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability is mitigated by the fact that you need to know the route machine name...

8.8CVSS6.7AI score0.00171EPSS
Exploits0References2
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•10 views

Enterprise MFA - TFA for Drupal - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-054

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently protect certain routes from Cross Site Request Forgery CSRF attacks...

8.8CVSS5.5AI score0.00171EPSS
Exploits0References3
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•10 views

Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-055

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently protect certain sensitive routes, allowing an attacker to view or modify various TFA-related settings...

6.5CVSS5.5AI score0.00207EPSS
Exploits0References3
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•11 views

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-052

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't sufficiently check whether the TOTP token is already used or not for authenticator-based second-factor methods. This vulnerability is mitigated by the fact that an attacker must...

4.8CVSS5.7AI score0.00235EPSS
Exploits0References3
Drupal
Drupal
•added 2025/05/07 12:0 a.m.•9 views

Enterprise MFA - TFA for Drupal - Moderately critical - Access bypass - SA-CONTRIB-2025-053

The module enables you to add second-factor authentication in addition to the default Drupal login. The module doesn't invoke two factor authentication 2FA for the password reset option. This vulnerability is mitigated by the fact that an attacker must have access to the password reset link...

7.5CVSS5.7AI score0.00356EPSS
Exploits0References3
Drupal
Drupal
•added 2025/04/23 12:0 a.m.•25 views

Block Class - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-043

Block Class enables you to add custom attributes to blocks. The module did not sufficiently sanitize custom attribute input, allowing for potential XSS attacks when malicious JavaScript was injected as a custom attribute. This vulnerability is mitigated by the fact that an attacker must have a ro...

6.1CVSS5.9AI score0.00198EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/23 12:0 a.m.•24 views

UEditor - 百度编辑器 - Critical - Unsupported - SA-CONTRIB-2025-044

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

7.3CVSS6.5AI score0.00318EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/23 12:0 a.m.•28 views

Sportsleague - Critical - Unsupported - SA-CONTRIB-2025-045

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

7.3CVSS6.9AI score0.00243EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/23 12:0 a.m.•18 views

Bootstrap Site Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-042

This module enables you to put a site wide bootstrap themed alert message on the top of every page. The module doesn't sufficiently filter text input when leading to a possible XSS attacks. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administ...

6.1CVSS5.8AI score0.00198EPSS
Exploits0References3
Drupal
Drupal
•added 2025/04/23 12:0 a.m.•13 views

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Colorbox is a module that allows Images, and iframed or inline content to be displayed in a modal above the current page. The Colorbox module doesn't sufficiently sanitize data attributes before opening modals. This vulnerability is mitigated by the fact that an attacker must have a role with...

6.1CVSS5.6AI score0.00214EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/23 12:0 a.m.•43 views

Search API Solr - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-046

This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability is mitigated by the fact that a site admin would have to perform further steps afte...

4.3CVSS6.8AI score0.00128EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/16 12:0 a.m.•10 views

baguetteBox.js - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-034

The baguetteBox.js module provides integration with baguetteBox.js library. The module doesn't sufficiently sanitize user-supplied text values leading to a cross site scripting vulnerability...

6.5CVSS4.8AI score0.00219EPSS
Exploits0References3
Drupal
Drupal
•added 2025/04/16 12:0 a.m.•30 views

Panelizer (obsolete) - Critical - Unsupported - SA-CONTRIB-2025-036

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9CVSS6.9AI score0.00277EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/16 12:0 a.m.•7 views

Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035

Stage File Proxy is a general solution for getting production files on a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources. This...

5.9CVSS5.8AI score0.00315EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/16 12:0 a.m.•21 views

Simple GTM - Critical - Unsupported - SA-CONTRIB-2025-037

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9CVSS6.9AI score0.00282EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/16 12:0 a.m.•30 views

Google Optimize - Critical - Unsupported - SA-CONTRIB-2025-039

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9CVSS6.9AI score0.00282EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/16 12:0 a.m.•21 views

Drupal 8 Google Optimize Hide Page - Critical - Unsupported - SA-CONTRIB-2025-040

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9CVSS6.9AI score0.00282EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/16 12:0 a.m.•21 views

Google Maps: Store Locator - Critical - Unsupported - SA-CONTRIB-2025-038

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.9CVSS6.9AI score0.00282EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/09 12:0 a.m.•26 views

Panels - Critical - Access bypass - SA-CONTRIB-2025-033

Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages. The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission. This vulnerability is...

6.5CVSS6.7AI score0.00361EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/09 12:0 a.m.•16 views

Gif Player Field - Moderately critical - Cross site scripting - SA-CONTRIB-2025-032

Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters. The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Libra...

6.9CVSS5.8AI score0.00449EPSS
Exploits0References4
Drupal
Drupal
•added 2025/04/09 12:0 a.m.•11 views

WEB-T - Moderately critical - Access bypass, Denial of service - SA-CONTRIB-2025-030

This module enables you to translate nodes, configuration, UI strings automatically. The module doesn't sufficiently validate the incoming API response when using eTranslation integration, which has an asynchronous workflow. Specially crafted requests could overwrite entities and translations of...

6.5CVSS5.7AI score0.00419EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/09 12:0 a.m.•18 views

ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-031

This module enables you to define automations on your Drupal site. The module doesn't sufficiently protect certain routes from CSRF attacks. This vulnerability can be mitigated by disabling the "ecaui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be...

5.4CVSS6.8AI score0.00168EPSS
Exploits0References1
Drupal
Drupal
•added 2025/04/02 12:0 a.m.•27 views

TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-027

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs...

4.8CVSS6AI score0.0033EPSS
Exploits0References1
Drupal
Drupal
•added 2025/04/02 12:0 a.m.•27 views

Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029

This module enables you to obfuscate email addresses, to avoid them being easily available to spammers. The module doesn't sufficiently sanitise input when ROT13 encoding is used. This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML...

5.4CVSS6.7AI score0.00217EPSS
Exploits0References2
Drupal
Drupal
•added 2025/04/02 12:0 a.m.•22 views

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028

This module enables users to log in using a short access code instead of providing a username/password combination. The module doesn't sufficiently protect against brute force attacks to guess a user's access code. This vulnerability is mitigated by the fact that access code based logins are off ...

4.8CVSS7.2AI score0.00254EPSS
Exploits0References2
Drupal
Drupal
•added 2025/03/19 12:0 a.m.•15 views

RapiDoc OAS Field Formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-025

This module can be used to render Open API Documentation using the RapiDoc library. The module provides a custom formatter for link fields. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal cor...

6.1CVSS6.7AI score0.00242EPSS
Exploits0References2
Drupal
Drupal
•added 2025/03/19 12:0 a.m.•14 views

Link field display mode formatter - Moderately critical - Cross site scripting - SA-CONTRIB-2025-024

This module adds a formatter for link fields that displays the current entity with another view mode inside the link. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site Scripting vulnerability XSS. A separate fix for Drupal core has been released bu...

6.1CVSS6.6AI score0.00242EPSS
Exploits0References2
Drupal
Drupal
•added 2025/03/19 12:0 a.m.•29 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Drupal core Link field attributes are not sufficiently sanitized, which can lead to a Cross Site Scripting vulnerability XSS. This vulnerability is mitigated by that fact that an attacker would need to have the ability to add specific attributes to a Link field, which typically requires edit acce...

5.4CVSS6.6AI score0.00456EPSS
Exploits0References5
Drupal
Drupal
•added 2025/03/19 12:0 a.m.•12 views

Formatter Suite - Moderately critical - Cross site scripting - SA-CONTRIB-2025-026

Formatter Suite provides a suite of field formatters to help present numbers, dates, times, text, links, entity references, files, and images. The module provides a custom formatter for link fields. Drupal core does not sufficiently sanitize link element attributes, which can lead to a Cross Site...

6.1CVSS6.7AI score0.00242EPSS
Exploits0References2
Drupal
Drupal
•added 2025/03/05 12:0 a.m.•8 views

Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2025-023

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently ensure that known login routes are not overridden by third-party modules which can allow an access bypass to occur. This vulnerabili...

8.1CVSS5.6AI score0.00369EPSS
Exploits0References3
Drupal
Drupal
•added 2025/03/05 12:0 a.m.•25 views

AI (Artificial Intelligence) - Critical - Remote Code Execution - SA-CONTRIB-2025-021

The AI Automators module a submodule of AI enables you to create different automated tasks that fills out field data using LLM outputs. The module doesn't sufficiently sanitize input before passing it to the underlying shell as part of a command for execution, allowing an attacker to run arbitrar...

7.5CVSS7.3AI score0.00717EPSS
Exploits0References2
Drupal
Drupal
•added 2025/03/05 12:0 a.m.•23 views

AI (Artificial Intelligence) - Moderately critical - Gadget Chain - SA-CONTRIB-2025-022

The AI Automators module a submodule of AI enables you to create different automated tasks that fills out a field data using LLM outputs. The module contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Deletion. It may be...

6.6CVSS8AI score0.00721EPSS
Exploits0References2
Drupal
Drupal
•added 2025/02/26 12:0 a.m.•14 views

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when creating tasks...

8.1CVSS7.3AI score0.00193EPSS
Exploits0References3
Total number of security vulnerabilities1940