Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
•added 2025/02/26 12:0 a.m.•14 views

Cache Utility - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-019

The Cache Utility module provides an ability to view status and flush various caches. The module doesn't sufficiently protect against Cross Site Request Forgery CSRF attacks by validating user identity and intent when flushing a cache...

8.8CVSS7.2AI score0.0021EPSS
Exploits0References3
Drupal
Drupal
•added 2025/02/26 12:0 a.m.•9 views

OAuth2 Server - Moderately critical - Access bypass - SA-CONTRIB-2025-020

Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate...

9.8CVSS5.5AI score0.00401EPSS
Exploits0References2
Drupal
Drupal
•added 2025/02/19 12:0 a.m.•32 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002

Bulk operations allow authorized users to modify several nodes at once from the Content page /admin/content. A site builder can also add bulk operations to other pages using Views. A bug in the core Actions system allows some users to modify some fields using bulk actions that they do not have...

4.6CVSS6.8AI score0.00293EPSS
Exploits0References7
Drupal
Drupal
•added 2025/02/19 12:0 a.m.•104 views

Drupal core - Critical - Cross site scripting - SA-CORE-2025-001

Drupal core doesn't sufficiently filter error messages under certain circumstances, leading to a reflected Cross Site Scripting vulnerability XSS. Sites are encouraged to update. There are not yet public documented steps to exploit this, but there may be soon given the nature of this issue. This...

6.1CVSS6.4AI score0.00287EPSS
Exploits0References8
Drupal
Drupal
•added 2025/02/19 12:0 a.m.•49 views

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Arbitrary File Inclusion. Techniques exist to escalate this attack to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order fo...

7.5CVSS8AI score0.00537EPSS
Exploits0References7
Drupal
Drupal
•added 2025/02/12 12:0 a.m.•22 views

Configuration Split - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-017

This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling or disabling a split. This vulnerability is...

6.8CVSS7.1AI score0.0018EPSS
Exploits0References1
Drupal
Drupal
•added 2025/02/12 12:0 a.m.•15 views

SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016

This module enables your site to obfuscate Email addresses and prevent spambots to collect them. The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting XSS...

6.1CVSS5.8AI score0.00242EPSS
Exploits0References2
Drupal
Drupal
•added 2025/02/12 12:0 a.m.•12 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014

Open Social is a Drupal distribution for online communities, which ships with a default optional module sociallanguage to make your platform multilingual. Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate thes...

9.1CVSS6.8AI score0.00363EPSS
Exploits0References3
Drupal
Drupal
•added 2025/02/12 12:0 a.m.•12 views

Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015

Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events. Invites for a specific user can be seen under certain conditions. The issue is mitigated for events by the fact that socialeventmaxenroll has to be enabled...

8.1CVSS7AI score0.00382EPSS
Exploits0References3
Drupal
Drupal
•added 2025/02/05 12:0 a.m.•8 views

OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013

This module enables a developer to create dedicated OAuth2 clients for connecting to external APIs and other OAuth protected resources. The module does not use Cross Site Request Forgery CSRF tokens to protect routes for enabling a client. This vulnerability is mitigated by the fact that an...

6.8CVSS5.6AI score0.00167EPSS
Exploits0References6
Drupal
Drupal
•added 2025/01/29 12:0 a.m.•19 views

Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009

This module allows a site to setup two factor authentication via QR code using authenticator applications on mobile devices including phones. The module does not properly protect its custom paths, allowing one user to access a different user's two factor configuration...

9.8CVSS7.5AI score0.00401EPSS
Exploits0References6
Drupal
Drupal
•added 2025/01/29 12:0 a.m.•35 views

Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008

This module enables you to add the Matomo web statistics tracking system to your website. The Matomo Analytics Tag Manager sub-module allows you to add one or more Matomo tag containers on your website. The module does not protect against Cross Site Request Forgeries on routes to enable or disabl...

6.8CVSS6.9AI score0.00167EPSS
Exploits0References4
Drupal
Drupal
•added 2025/01/29 12:0 a.m.•21 views

Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011

This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't have the "restrict access" flag on the "administer googletagcontainer" permission. A user with this permission can load a GTM container that completely changes the page or inserts malicio...

4.8CVSS6.2AI score0.00218EPSS
Exploits0References8
Drupal
Drupal
•added 2025/01/29 12:0 a.m.•19 views

Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012

This module enables you to integrate the site with the Google Tag Manager GTM application. The module doesn't sufficiently validate the enabling or disabling of a tag container. The routes involved are not protected against Cross Site Request Forgery CSRF. This vulnerability is mitigated by the...

6.8CVSS6.9AI score0.00167EPSS
Exploits0References9
Drupal
Drupal
•added 2025/01/29 12:0 a.m.•16 views

Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.6CVSS7.1AI score0.00456EPSS
Exploits0References2
Drupal
Drupal
•added 2025/01/22 12:0 a.m.•18 views

Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007

This module enables you to render error pages using the Ignition package. The module disables certain Drupal core code and does not perform sufficient filtering, allowing HTML to be injected in certain situations leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated...

6.1CVSS6.2AI score0.00242EPSS
Exploits0References8
Drupal
Drupal
•added 2025/01/22 12:0 a.m.•10 views

Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.6CVSS7.1AI score0.00456EPSS
Exploits0References2
Drupal
Drupal
•added 2025/01/22 12:0 a.m.•14 views

AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004

The AI logging sub-module enables you to log AI requests and responses for debugging and auditing purposes. The module doesn't sufficiently check for access to view the preview listing of the logs. Full log details are correctly protected, and API keys are never logged. This vulnerability is...

8.2CVSS7AI score0.00352EPSS
Exploits0References9
Drupal
Drupal
•added 2025/01/22 12:0 a.m.•15 views

Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.6CVSS7.1AI score0.00493EPSS
Exploits0References2
Drupal
Drupal
•added 2025/01/15 12:0 a.m.•12 views

AI (Artificial Intelligence) - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-003

The Drupal AI module provides a framework for easily integrating Artificial Intelligence on any Drupal site using any kind of AI from multiple vendors. The sub-modules AI Chatbot and AI Assistants API allow users to interact with the Drupal site via a 'chat' interface. The AI Chatbot module doesn...

8.8CVSS6.6AI score0.0021EPSS
Exploits0References8
Drupal
Drupal
•added 2025/01/08 12:0 a.m.•11 views

Profile Private - Critical - Unsupported - SA-CONTRIB-2025-002

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

5.3CVSS7.1AI score0.00427EPSS
Exploits0References6
Drupal
Drupal
•added 2025/01/08 12:0 a.m.•18 views

Email TFA - Moderately critical - Access bypass - SA-CONTRIB-2025-001

This module enables you to do Two-Factor Authentication by email, using a user registered email to send a verification code to the user's email every time the user tries to log in to your site. The module did not sufficiently protect against brute force attacks, allowing an attacker to bypass the...

8.8CVSS7.1AI score0.00529EPSS
Exploits0References6
Drupal
Drupal
•added 2024/12/11 12:0 a.m.•9 views

Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.5CVSS7.1AI score0.00372EPSS
Exploits0References2
Drupal
Drupal
•added 2024/12/11 12:0 a.m.•8 views

Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

7.3CVSS7.1AI score0.00339EPSS
Exploits0References2
Drupal
Drupal
•added 2024/12/11 12:0 a.m.•6 views

Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073

This module enables you to prevent existing users from logging in to your Drupal site unless they know the secret key to add to the end of the ?q=user login form page. The Login Disable module does not correctly prevent a user with a disabled login from logging in, allowing those users to by-pass...

5.4CVSS6.7AI score0.00251EPSS
Exploits0References7
Drupal
Drupal
•added 2024/12/11 12:0 a.m.•17 views

Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072

This module provides a block that renders a link providing the functionality of a browser's back button. The module does not sufficiently escape text entered by an administrator, resulting in a cross scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...

3.8CVSS6.6AI score0.00251EPSS
Exploits0References6
Drupal
Drupal
•added 2024/12/11 12:0 a.m.•9 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Open Social is a Drupal distribution for online communities, which ships with a default optional module socialfileprivate to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem. For installations of Open Social prior to version 11.8....

5.3CVSS6.9AI score0.00297EPSS
Exploits0References6
Drupal
Drupal
•added 2024/12/04 12:0 a.m.•11 views

Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.6CVSS7.1AI score0.00361EPSS
Exploits0References3
Drupal
Drupal
•added 2024/12/04 12:0 a.m.•16 views

Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068

Module to restrict access from anonymous and regular users to configured pre-defined pages. The module does not adequately handle protecting certain types of URLs...

5.3CVSS7AI score0.00297EPSS
Exploits0References9
Drupal
Drupal
•added 2024/12/04 12:0 a.m.•23 views

OAuth Client & OpenID Connect SSO | OAuth/OIDC Login - Critical - Cross Site Scripting - SA-CONTRIB-2024-067

This module enables you to authenticate users through an Identity Provider IdP or OAuth Server, allowing them to log in to your Drupal site. The module does not sufficiently escape query parameters sent to the callback URL when displaying error messages, particularly if the code parameter is...

6.1CVSS6.9AI score0.00242EPSS
Exploits0References9
Drupal
Drupal
•added 2024/12/04 12:0 a.m.•9 views

Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069

This module provides a field formatter for the field type 'file' called Table of files with download all link . The module had vulnerabilities allowing a user to download files they normally should not be able to download...

5.3CVSS7.2AI score0.00297EPSS
Exploits0References9
Drupal
Drupal
•added 2024/12/04 12:0 a.m.•12 views

Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071

This module allows a site builder to create multi-step entity forms leveraging the Field Group field type plugins. The module doesn't escape plain text administrative configurations. An attacker with admin access could inject arbitrary JavaScript code. This vulnerability is mitigated by the fact...

4.8CVSS6.8AI score0.00232EPSS
Exploits0References5
Drupal
Drupal
•added 2024/12/04 12:0 a.m.•12 views

Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070

The Minify JS module allows a site administrator to minify all javascript files that exist in the site's code base and use those minified files on the front end of the website. Several administrator routes are unprotected against Cross-Site Request Forgery CRSF attacks...

4.5CVSS7.1AI score0.0017EPSS
Exploits0References4
Drupal
Drupal
•added 2024/12/04 12:0 a.m.•11 views

Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

6.6CVSS7.1AI score0.00361EPSS
Exploits0References3
Drupal
Drupal
•added 2024/11/27 12:0 a.m.•14 views

Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064

This module integrates Tarte au citron JS library with Drupal and prevent services to be loaded without user consent. Administrators can enable and configure services which will be managed by Tarte au citron. When Google Tag Manager GTM service is enabled, an attacker can load a GTM container tha...

4.8CVSS6.9AI score0.00232EPSS
Exploits0References7
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•9 views

Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances. Only sites with the Overlay module enabled are affected by this vulnerability...

6.1CVSS6AI score0.00314EPSS
Exploits0References11
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•13 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004

Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues...

8.1CVSS6.5AI score0.00408EPSS
Exploits0References14
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•9 views

Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061

This module allows users to export nodes and then import it into another Drupal installation, or on the same site. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which could results in Remote Code Execution via PHP Object Injection...

6.6CVSS5.7AI score0.00399EPSS
Exploits0References5
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•10 views

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to...

9.8CVSS7.4AI score0.00803EPSS
Exploits0References12
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•29 views

Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063

This module integrates webforms with eloqua, an automated marketing and demand generation software built to improve the quality and quantity of customers' sales leads and streamline their sales processes. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's...

6.6CVSS7.8AI score0.00399EPSS
Exploits0References5
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•20 views

Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062

This module for Drupal provides complete control of Email settings with Drupal and Mailjet. In certain cases the module doesn't securely pass data to PHP's unserialize function, which could result in Remote Code Execution via PHP Object Injection. This vulnerability is mitigated by the fact that ...

6.6CVSS7.9AI score0.00399EPSS
Exploits0References5
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•17 views

Drupal core - Less critical - Gadget chain - SA-CORE-2024-006

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Artbitrary File Deletion. It is not directly exploitable. This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allo...

9.8CVSS6.8AI score0.00904EPSS
Exploits0References11
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•30 views

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008

Drupal core contains a potential PHP Object Injection vulnerability that if combined with another exploit could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to...

9.8CVSS7.3AI score0.00956EPSS
Exploits0References14
Drupal
Drupal
•added 2024/11/20 12:0 a.m.•21 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003

Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized...

5.4CVSS6.6AI score0.00327EPSS
Exploits0References14
Drupal
Drupal
•added 2024/11/13 12:0 a.m.•19 views

POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system public, private, etc. The module doesn't sufficiently protect against Cross Site Request Forgery under allowing an attacker to trick a site user into...

3.1CVSS7AI score0.00134EPSS
Exploits0References6
Drupal
Drupal
•added 2024/11/13 12:0 a.m.•12 views

POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system public, private, etc. This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the...

5.4CVSS6.9AI score0.00227EPSS
Exploits0References6
Drupal
Drupal
•added 2024/11/06 12:0 a.m.•12 views

Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058

This module enables you to add any HTML content you want in a tooltip displayed on mouse hover. The module does not sufficiently escape the markup inserted in the tooltip block. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...

4.8CVSS6.8AI score0.00232EPSS
Exploits0References7
Drupal
Drupal
•added 2024/11/06 12:0 a.m.•11 views

Basic HTTP Authentication - Critical - Access bypass - SA-CONTRIB-2024-057

The module provides a possibility to restrict access to specific paths using basic HTTP authentication, in addition to standard Drupal access checks. In some cases, the module removes existing access checks from some paths, resulting in an access bypass vulnerability...

7.3CVSS7.1AI score0.00316EPSS
Exploits0References4
Drupal
Drupal
•added 2024/10/30 12:0 a.m.•12 views

Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055

This module makes it possible for you to integrate Cookiebot and Google Tag Manager in a fast and simple way. The module doesn't sufficiently filter for malicious script leading to a persistent cross site scripting XSS vulnerability...

5.4CVSS5.9AI score0.00276EPSS
Exploits0References7
Drupal
Drupal
•added 2024/10/30 12:0 a.m.•8 views

OhDear Integration - Moderately critical - Access bypass - SA-CONTRIB-2024-056

Integrates your Drupal website with the Oh Dear monitoring app. Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module. This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthche...

5.3CVSS5.5AI score0.00297EPSS
Exploits0References6
Total number of security vulnerabilities1940