Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2024/10/23 12:0 a.m.11 views

Views SVG Animation - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-051

This module enables you to animate an SVG graphic by selecting certain rows in a view. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to upload SVG files...

5.4CVSS7AI score0.00213EPSS
Exploits0References5
Drupal
Drupal
added 2024/10/23 12:0 a.m.18 views

Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054

This module provides serialization formats for use by other modules. The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities...

6.8AI score
Exploits0References8
Drupal
Drupal
added 2024/10/23 12:0 a.m.12 views

Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize function, which can result in arbitrary code execution...

4.3CVSS7.5AI score0.00339EPSS
Exploits0References7
Drupal
Drupal
added 2024/10/23 12:0 a.m.8 views

SVG Embed - Moderately critical - Cross site scripting - SA-CONTRIB-2024-050

This module enables you to embed the content of an SVG file into the body html of a node and optionally allows to translate text contained within the image. The module doesn't sufficiently sanitize the SVG file before embedding it into the html. This vulnerability is mitigated by the fact that an...

5.4CVSS7AI score0.00213EPSS
Exploits0References6
Drupal
Drupal
added 2024/10/23 12:0 a.m.17 views

Smartling Connector - Less critical - Multiple vulnerabilities - SA-CONTRIB-2024-053

Smartling module allows you to translate content in Drupal 7 using the Smartling Translation Management Platform. The module includes an outdated version of the Guzzle package guzzlehttp/guzzle 6.3.3, which has known security vulnerabilities...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2024/10/16 12:0 a.m.27 views

Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002

Under certain uncommon site configurations, a bug in the CKEditor 5 module can cause some image uploads to move the entire webroot to a different location on the file system. This could be exploited by a malicious user to take down a site. The issue is mitigated by the fact that several non-defau...

5.9CVSS6.3AI score0.00375EPSS
Exploits0References13
Drupal
Drupal
added 2024/10/09 12:0 a.m.8 views

Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure. A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant...

9.1CVSS7.1AI score0.00347EPSS
Exploits0References6
Drupal
Drupal
added 2024/10/09 12:0 a.m.9 views

Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047

This module enables you to to easily create and manage faceted search interfaces. The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting XSS vulnerability. The vulnerability exists in the Facets Summary submodule. If you do not use that sub module...

6.1CVSS5.9AI score0.00228EPSS
Exploits0References8
Drupal
Drupal
added 2024/10/09 12:0 a.m.11 views

wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...

9.8CVSS7.1AI score0.00434EPSS
Exploits0References2
Drupal
Drupal
added 2024/10/09 12:0 a.m.8 views

Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046

This module enables you to manage blocks from specific modules in the specific themes. The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/pluginid/theme" route "block.adminadd". The attacker can add the block to th...

8.8CVSS7AI score0.00331EPSS
Exploits0References7
Drupal
Drupal
added 2024/10/09 12:0 a.m.7 views

Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048

This module provides a new UI experience for node editing using the Gutenberg Editor library. The module did not sufficiently protect some routes against a Cross Site Request Forgery attack. This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the...

8.8CVSS7.1AI score0.00193EPSS
Exploits0References12
Drupal
Drupal
added 2024/10/02 12:0 a.m.15 views

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module does not sufficiently migrate sessions before prompting for a second factor token. This vulnerability is mitigated by the fact that an attacker must fixat...

9.8CVSS5.7AI score0.0045EPSS
Exploits0References8
Drupal
Drupal
added 2024/10/02 12:0 a.m.9 views

Persistent Login - Moderately critical - Access bypass - SA-CONTRIB-2024-044

This module enables users to remain logged in separately from session timeouts. The module doesn't sufficiently check a user's disabled status when validating cookies. This vulnerability is mitigated by the fact that an attacker must have an unexpired cookie from a previous successful login...

9.8CVSS6.9AI score0.00401EPSS
Exploits0References7
Drupal
Drupal
added 2024/10/02 12:0 a.m.8 views

Diff - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-042

This module adds a tab for sufficiently permissioned users. The tab shows all revisions like standard Drupal but it also allows pretty viewing of all added/changed/deleted words between revisions. The module doesn't sufficiently check revision access before rendering a diff report for 1 nodes or ...

9.1CVSS7AI score0.00347EPSS
Exploits0References7
Drupal
Drupal
added 2024/09/18 12:0 a.m.10 views

Smart IP Ban - Critical - Access bypass - SA-CONTRIB-2024-041

The Smart IP Ban module enables a site to automatically ban an IP address based upon too many failed authentications. The module doesn't sufficiently protect access to certain paths provided by the module allowing a malicious user to view and modify the settings...

9.1CVSS6.9AI score0.00347EPSS
Exploits0References7
Drupal
Drupal
added 2024/09/11 12:0 a.m.8 views

File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for fileentity bundle types in addition to core filemanaged data. The module doesn't sufficiently ensure that folders exist within the private destination prior to writing to...

7.5CVSS7AI score0.00366EPSS
Exploits0References7
Drupal
Drupal
added 2024/09/11 12:0 a.m.10 views

Security Kit - Less critical - Denial of Service - SA-CONTRIB-2024-039

This module provides Drupal with various security-hardening options, for example by emitting various configurable HTTP response headers. The module doesn't sufficiently validate input in Content Security Policy CSP violation reports. This can cause errors when a logging module e.g. dblog or syslo...

5.3CVSS6.8AI score0.00355EPSS
Exploits0References8
Drupal
Drupal
added 2024/09/04 12:0 a.m.9 views

Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036

This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations modify, delete, duplicate. This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough. Information...

6.3CVSS7.1AI score0.00235EPSS
Exploits0References10
Drupal
Drupal
added 2024/09/04 12:0 a.m.10 views

Content Entity Clone - Moderately critical - Information Disclosure - SA-CONTRIB-2024-035

This module enables you to "clone" a content entity, i.e. to create a new content pre-filled with data from another entity of the same type and bundle. The module doesn't properly check the user access to the original entity, allowing users to create a new entity they have permission to create...

4.3CVSS6.9AI score0.00301EPSS
Exploits0References6
Drupal
Drupal
added 2024/09/04 12:0 a.m.9 views

Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content. The module doesn't sufficiently check if a user has access to some URLs before rendering them as links. This vulnerability is mitigated by the fact that an attacker must...

4.3CVSS6.8AI score0.00301EPSS
Exploits0References7
Drupal
Drupal
added 2024/09/04 12:0 a.m.11 views

Open Social - Moderately critical - Denial of Service - SA-CONTRIB-2024-038

Open Social is a Drupal distribution for online communities. The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the password reset which could result in a Denial of Service. Fortunately the message does not...

5.3CVSS7AI score0.00355EPSS
Exploits0References8
Drupal
Drupal
added 2024/09/04 12:0 a.m.9 views

Open Social - Moderately critical - Cross Site Scripting, Denial of Service - SA-CONTRIB-2024-037

Open Social is a Drupal distribution for online communities, which ships with an optional module called Social Embed. This module allows a website to display embedded content such as photos or videos when a user posts a link to that resource, without having to parse the resource directly. Added...

5.4CVSS6.9AI score0.00213EPSS
Exploits0References7
Drupal
Drupal
added 2024/08/28 12:0 a.m.26 views

Advanced Varnish - Moderately critical - Access bypass - SA-CONTRIB-2024-033

This module enables you to cache pages for logged in users at the Varnish level. The Varnish bin names may be guessable when no hashing noise configuration is set on the module configuration page, which would ultimately allow any user to view cached pages that were intended for other roles when...

5.3CVSS6.9AI score0.00359EPSS
Exploits0References5
Drupal
Drupal
added 2024/08/21 12:0 a.m.13 views

Opigno TinCan Question Type - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-031

The Opigno TinCan Question Type module is related to Opigno LMS distribution. The module adds a new question type for the Quiz module. With this new question type, you will be able to import TinCan Packages to your Drupal instance and to use it as a question. Uploaded files were not sufficiently...

7.5CVSS7.4AI score0.00547EPSS
Exploits0References9
Drupal
Drupal
added 2024/08/21 12:0 a.m.11 views

Opigno - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-032

The Opigno module is related to Opigno LMS distribution. Opigno Scorm submodule exposes an API for extracting and handling SCORM packages. Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution RCE and/or Cross Site Scripting XS...

6.8CVSS7.5AI score0.00459EPSS
Exploits0References7
Drupal
Drupal
added 2024/08/21 12:0 a.m.12 views

Responsive and off-canvas menu - Moderately critical - Access bypass - SA-CONTRIB-2024-030

This module integrates the mmenu library with Drupal's menu system with the aim of having an off-canvas mobile menu and a horizontal menu at wider widths. The module doesn't respect custom node access restrictions implemented through hookENTITYTYPEaccess hooks meaning the titles of restricted nod...

5.3CVSS7AI score0.0034EPSS
Exploits0References7
Drupal
Drupal
added 2024/08/07 12:0 a.m.23 views

Opigno module - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-028

The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training. In the opignomodule module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution RCE and/or Cross Site...

9.8CVSS7.4AI score0.00452EPSS
Exploits0References9
Drupal
Drupal
added 2024/08/07 12:0 a.m.15 views

Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029

The Opigno Learning Path module enables you to manage group content. Administrative forms allow uploading malicious files which may contain arbitrary code RCE or cross site scriptiong XSS. These forms were not adequately controlled with permissions that communicate the severity of the permission...

7.5CVSS7.1AI score0.00547EPSS
Exploits0References9
Drupal
Drupal
added 2024/08/07 12:0 a.m.22 views

Opigno group manager - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-027

The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one. An administrati...

5.5CVSS7.1AI score0.00254EPSS
Exploits0References7
Drupal
Drupal
added 2024/07/31 12:0 a.m.12 views

View Password - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-026

The View Password module enables you to add a help icon button next to the password input field to toggle the password visibility. The administrative user is allowed to add classes to this icon for styling purposes. The module doesn't validate the content of classes. A malicious user with access ...

4.8CVSS7.2AI score0.00266EPSS
Exploits0References6
Drupal
Drupal
added 2024/06/05 12:0 a.m.29 views

Acquia DAM - Moderately critical - Cross Site Request Forgery, Denial of Service - SA-CONTRIB-2024-025

Acquia DAM provides a connection to a third-party asset management system, allowing for images to be managed, linked to, and viewed from Drupal. In order for assets to be managed in Drupal, a site administrator must first authenticate the site to their DAM instance. The module doesn't sufficientl...

3.5CVSS6.8AI score0.00143EPSS
Exploits0References6
Drupal
Drupal
added 2024/05/29 12:0 a.m.20 views

Image Sizes - Moderately critical - Access bypass - SA-CONTRIB-2024-023

This module enables you to create responsive image styles that depend on the parent element's width. The module doesn't sufficiently check access to rendered images, resulting in access bypass vulnerabilities in specific scenarios...

7.5CVSS7.3AI score0.00481EPSS
Exploits0References7
Drupal
Drupal
added 2024/05/29 12:0 a.m.24 views

Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024

The Migrate queue importer module enables you to create cron migrationsconfiguration entities with a reference towards migration entities in order to import them during cron runs. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an...

8.8CVSS7AI score0.00193EPSS
Exploits0References7
Drupal
Drupal
added 2024/05/29 12:0 a.m.37 views

Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022

Drupal REST & JSON API Authentication module restricts and secures unauthorized access to your Drupal site APIs using different authentication methods including Basic Authentication , API Key Authentication , JWT Authentication , OAuth Authentication , External / Third-Party Provider...

9.8CVSS7.3AI score0.00629EPSS
Exploits0References9
Drupal
Drupal
added 2024/05/22 12:0 a.m.16 views

Commerce View Receipt - Moderately critical - Access bypass - SA-CONTRIB-2024-021

The Commerce View Receipts module enables you to view commerce order receipts in the browser. The module doesn't sufficiently check access permissions, allowing an unauthorised user to view the private information of other customers...

5.3CVSS6.7AI score0.00279EPSS
Exploits0References8
Drupal
Drupal
added 2024/05/22 12:0 a.m.31 views

Email Contact - Moderately critical - Access bypass - SA-CONTRIB-2024-020

The Email Contact module provides email field display formatters that can display the field as a link to the contact form, or as an inline contact form. The module does not sufficiently handle restricted entity or field access to the mail sending form, when the "Email contact link" formatter is...

7.5CVSS7AI score0.00397EPSS
Exploits0References9
Drupal
Drupal
added 2024/05/15 12:0 a.m.51 views

RESTful Web Services - Critical - Access bypass - SA-CONTRIB-2024-019

This module exposes Drupal resources e.g. entities as RESTful web services. The module doesn't sufficiently restrict access for user resources...

7.5CVSS7.2AI score0.00495EPSS
Exploits0References3
Drupal
Drupal
added 2024/04/24 12:0 a.m.22 views

REST Views - Moderately critical - Information Disclosure - SA-CONTRIB-2024-018

The Rest views module lets site admins create rest exports in views with additional options for serializing data. This module does not accurately check access and may expose paths to unpublished content. This vulnerability is mitigated by the fact that there must be a specific content structure t...

7.5CVSS6.9AI score0.00481EPSS
Exploits0References6
Drupal
Drupal
added 2024/04/24 12:0 a.m.32 views

Advanced PWA inc Push Notifications - Critical - Access bypass - SA-CONTRIB-2024-017

Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications. This module doesn't sufficiently protect...

9.1CVSS6.7AI score0.00363EPSS
Exploits0References9
Drupal
Drupal
added 2024/03/27 12:0 a.m.34 views

TacJS - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-016

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting XSS vulnerability. More details are available in CVE-2023-3620. This vulnerability is...

5.4CVSS5.8AI score0.00542EPSS
Exploits1References6
Drupal
Drupal
added 2024/03/06 12:0 a.m.24 views

Registration role - Critical - Access bypass - SA-CONTRIB-2024-015

The Registration role module lets an administrator select a role or multiple roles to automatically assign to new users. The selected role or roles will be assigned to new registrants. The module has a logic error when handling sites that upgraded code and did not run the Drupal update process e....

8.8CVSS7.2AI score0.00355EPSS
Exploits0References8
Drupal
Drupal
added 2024/02/28 12:0 a.m.20 views

Coffee - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-011

The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup. The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...

4.8CVSS6AI score0.00218EPSS
Exploits0References7
Drupal
Drupal
added 2024/02/28 12:0 a.m.22 views

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-013

This module provides an alternative mean of rebuilding the Content Access table. The module doesn't sufficiently reset the state of content access when the module is uninstalled...

5.4CVSS7.1AI score0.00211EPSS
Exploits0References6
Drupal
Drupal
added 2024/02/28 12:0 a.m.20 views

Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations...

8.8CVSS7AI score0.00193EPSS
Exploits0References7
Drupal
Drupal
added 2024/02/28 12:0 a.m.23 views

Private content - Moderately critical - Access bypass - SA-CONTRIB-2024-012

This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission. The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fa...

5.5CVSS6.9AI score0.00186EPSS
Exploits0References6
Drupal
Drupal
added 2024/02/21 12:0 a.m.19 views

Node Access Rebuild Progressive - Less critical - Access bypass - SA-CONTRIB-2024-010

This module provides an alternative mean of rebuilding the Content Access table. The module doesn't sufficiently reset the state of content access when the module is uninstalled...

5.3CVSS7.1AI score0.00263EPSS
Exploits0References6
Drupal
Drupal
added 2024/02/14 12:0 a.m.23 views

CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009

The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code. The vulnerability is mitigated by the fact it requires: full-pa...

6.1CVSS6.2AI score0.00706EPSS
Exploits0References12
Drupal
Drupal
added 2024/02/07 12:0 a.m.16 views

Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008

The Migrate Tools module provides tools for running and managing Drupal migrations. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to trick an authenticated administrator into initiating a migration. This vulnerability is...

8.8CVSS6.9AI score0.00193EPSS
Exploits0References5
Drupal
Drupal
added 2024/01/31 12:0 a.m.20 views

Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007

The Entity Delete Log module tracks the deletion of configured entity types, such as node or comments. It does not add sufficient permission to the log report page, allowing an attacker to view information from deleted entities...

6.5CVSS6.7AI score0.00267EPSS
Exploits0References8
Drupal
Drupal
added 2024/01/24 12:0 a.m.25 views

Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005

Open Social is a Drupal distribution for online communities. The included optional socialgroupflexiblegroup module doesn't sufficiently validate group updates. The lack of validation makes it possible to have content inside the group changing it's visibility, which could lead to that content bein...

9.1CVSS7AI score0.00347EPSS
Exploits0References7
Total number of security vulnerabilities1940