1940 matches found
Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019
The Cache Utility module provides an ability to view status and flush various caches. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when flushing a cache...
OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020
Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate...
Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002
Bulk operations allow authorized users to modify several nodes at once from the Content page /admin/content. A site builder can also add bulk operations to other pages using Views. A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have...
Drupal core - Critical - Cross site scripting - SA-CORE-2025-001
Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability XSS. Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This...
Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003
Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order fo...
Configuration Split - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-017
This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling or disabling a split. This vulnerability is...
SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016
This module enables your site to obfuscate Email addresses and prevent spambots to collect them. The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting XSS...
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014
Open Social is a Drupal distribution for online communities, which ships with a default optional module sociallanguage to make your platform multilingual. Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate thes...
Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015
Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events. Invites for a specific user can be seen under certain conditions. The issue is mitigated for events by the fact that socialeventmaxenroll has to be enabled...
OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013
This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling a client. This vulnerability is mitigated by the fact that an...
Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009
This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones. The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration...
Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008
This module enables you to add the Matomo web statistics tracking system to your website. The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website. The module does not protect against Cross Site Request Forgeries on routes to enable or disabl...
Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011
This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't have the "restrict access" flag on the "administer googletagcontainer" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicio...
Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012
This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery CSRF. This vulnerability is mitigated by the...
Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007
This module enables you to render error pages using the Ignition package. The module disables certain Drupal core code and does not perform sufficient filtering, allowing HTML to be injected in certain situations leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated...
Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004
The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes. The module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged. This vulnerability is...
Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003
The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI from multiple vendors. The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface. The AI Chatbot module doesn...
Profile Private - Critical - Unsupported - SA-CONTRIB-2025-002
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001
This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site. The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the...
Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073
This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass...
Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072
This module provides a block that renders a link providing the functionality of a browser's back button. The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...
Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076
Open Social is a Drupal distribution for online communities, which ships with a default optional module socialfileprivate to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem. For installations of Open Social prior to version 11.8....
Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068
Module to restrict access from anonymous and regular users to configured pre-defined pages. The module does not adequately handle protecting certain types of URLs...
OAuth Client & OpenID Connect SSO | OAuth/OIDC Login - Critical - Cross Site Scripting - SA-CONTRIB-2024-067
This module enables you to authenticate users through an Identity Provider IdP or OAuth Server, allowing them to log in to your Drupal site. The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is...
Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069
This module provides a field formatter for the field type 'file' called Table of files with download all link . The module had vulnerabilities allowing a user to download files they normally should not be able to download...
Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071
This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins. The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code. This vulnerability is mitigated by the fact...
Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070
The Minify JS module allows a site administrator to minify all javascript files that exist in the site's code base and use those minified files on the front end of the website. Several administrator routes are unprotected against Cross-Site Request Forgery CRSF attacks...
Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066
The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...
Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064
This module integrates Tarte au citron JS library with Drupal and prevent services to be loaded without user consent. Administrators can enable and configure services which will be managed by Tarte au citron. When Google Tag Manager GTM service is enabled, an attacker can load a GTM container tha...
Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005
Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances. Only sites with the Overlay module enabled are affected by this vulnerability...
Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004
Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues...
Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061
This module allows users to export nodes and then import it into another Drupal installation, or on the same site. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which could results in Remote Code Execution via PHP Object Injection...
Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007
Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to...
Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063
This module integrates webforms with eloqua, an automated marketing and demand generation software built to improve the quality and quantity of customers' sales leads and streamline their sales processes. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's...
Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062
This module for Drupal provides complete control of Email settings with Drupal and Mailjet. In certain cases the module doesn't securely pass data to PHP's unserialize function, which could result in Remote Code Execution via PHP Object Injection. This vulnerability is mitigated by the fact that ...
Drupal core - Less critical - Gadget chain - SA-CORE-2024-006
Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allo...
Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008
Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to...
Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized...
POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059
The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system public, private, etc. The module doesn't sufficiently protect against Cross Site Request Forgery under allowing an attacker to trick a site user into...
POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060
The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system public, private, etc. This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the...
Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058
This module enables you to add any HTML content you want in a tooltip displayed on mouse hover. The module does not sufficiently escape the markup inserted in the tooltip block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...
Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057
The module provides a possibility to restrict access to specific paths using basic HTTP authentication, in addition to standard Drupal access checks. In some cases, the module removes existing access checks from some paths, resulting in an access bypass vulnerability...
Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055
This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way. The module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting XSS vulnerability...
OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056
Integrates your Drupal website with the Oh Dear monitoring app. Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module. This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthche...