Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2024/01/24 12:0 a.m.18 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004

Content within Open Social can have different visibilities. It is possible for a user to create public content even when this should not be allowed. This vulnerability is mitigated by the fact that the site must have public visibility disabled on a global level...

7.5CVSS6.8AI score0.00368EPSS
Exploits0References7
Drupal
Drupal
added 2024/01/24 12:0 a.m.10 views

Swift Mailer (abandoned) - Moderately critical - Access bypass - SA-CONTRIB-2024-006

The Drupal Swift Mailer module extends the basic e-mail sending functionality provided by Drupal by delegating all e-mail handling to the Swift Mailer library. This enables your site to take advantage of the many features which the Swift Mailer library provides. The module could allow an attacker...

9.1CVSS5.4AI score0.00366EPSS
Exploits0References7
Drupal
Drupal
added 2024/01/24 12:0 a.m.25 views

Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled. This vulnerability is mitigated by the fact that a...

9.8CVSS7.3AI score0.00549EPSS
Exploits0References10
Drupal
Drupal
added 2024/01/17 12:0 a.m.36 views

Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service DOS. Sites that do not use the Comment module are not affected...

7.5CVSS6.9AI score0.00457EPSS
Exploits0References12
Drupal
Drupal
added 2024/01/10 12:0 a.m.23 views

Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter. The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting XSS vulnerability. This vulnerability is mitigate...

5.4CVSS6.2AI score0.00218EPSS
Exploits0References6
Drupal
Drupal
added 2024/01/10 12:0 a.m.32 views

File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001

File entity provides interfaces for managing files. It also extends the core file entity, allowing files to be fieldable, grouped into types, viewed using display modes and formatted using field formatters. The module previously did not sufficiently validate files under the scenario of a file...

5.4CVSS7AI score0.00232EPSS
Exploits0References7
Drupal
Drupal
added 2023/12/20 12:0 a.m.22 views

Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055

This module allows you to turn various data sources Eg CSV or JSON file into interactive visualisation. The DVF module provides a field storage, widget & formatter that can be added to any entity. This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2023/12/06 12:0 a.m.20 views

Group - Less critical - Access bypass - SA-CONTRIB-2023-054

The Group module has the ability to make content private to specific groups. When viewing a list of entities, e.g. nodes, a visitor should only see those entities that are either not attached to a group or that they have group access to. The module doesn't sufficiently enforce list access under t...

7AI score
Exploits0References10
Drupal
Drupal
added 2023/11/29 12:0 a.m.23 views

Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053

The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of...

7AI score
Exploits0References8
Drupal
Drupal
added 2023/11/15 12:0 a.m.26 views

Mollie for Drupal - Moderately critical - Faulty payment confirmation logic - SA-CONTRIB-2023-052

This module enables you to pay online via Mollie. The module might not properly load the correct order to update the payment status when Mollie redirects to the redirect URL. This can allow an attacker to apply other people's orders to their own, getting credit without paying. This vulnerability ...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2023/11/08 12:0 a.m.24 views

GraphQL - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2023-051

The GraphQL module enables you to build GraphQL APIs which can include data fetching through Queries and data updates create, update, delete through mutations. The module does not sufficiently validate incoming requests that are made from domains other than the one serving the GraphQL endpoint. I...

7AI score
Exploits0References8
Drupal
Drupal
added 2023/11/08 12:0 a.m.17 views

GraphQL - Moderately critical - Access bypass - SA-CONTRIB-2023-050

This module lets you craft and expose a GraphQL schema for Drupal 9 and 10. The module currently does not adequately verify whether a given user has the necessary permissions to access an entity's label creating an access bypass vulnerability. This vulnerability is mitigated by the fact that enti...

7AI score
Exploits0References6
Drupal
Drupal
added 2023/11/01 12:0 a.m.16 views

Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049

This module enables you to view all paragraph entities in an admin view. The module contains an access bypass that allows non admin users to access the view. The vulnerability can be mitigated by editing the view to change the permission required to access the page...

7AI score
Exploits0References7
Drupal
Drupal
added 2023/10/04 12:0 a.m.39 views

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2023-048

This module enables users to log in by email address with minimal configurations. Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks. A previous security advisory,...

6.7AI score
Exploits0References12
Drupal
Drupal
added 2023/09/27 12:0 a.m.17 views

Content Moderation Notifications - Moderately critical - Information disclosure - SA-CONTRIB-2023-047

This module enables notifications to be sent to all users of a particular role, or to the content's author when a piece of content is transitioned from one state to another via core's contentmoderation module. The module doesn't sufficiently check access to content when sending notifications. Thi...

6.8AI score
Exploits0References9
Drupal
Drupal
added 2023/09/27 12:0 a.m.17 views

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Entity Cache puts core entities into Drupal's cache API. A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input. The impact of this bug should be relatively minor in most configurations...

6.8AI score
Exploits0References11
Drupal
Drupal
added 2023/09/20 12:0 a.m.47 views

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation. This vulnerability only affects sites with the JSON:API module enabled,...

7.5CVSS6.6AI score0.00694EPSS
Exploits2References14
Drupal
Drupal
added 2023/09/13 12:0 a.m.20 views

Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045

This module enables users to log in by email address with minimal configurations. Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2023/09/06 12:0 a.m.6 views

highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043

Provides highlight.php integration to Drupal, allowing blocks to be automatically highlighted with the correct language. The module's Twig function doesn't sufficiently filter user-entered data...

5.4AI score
Exploits0References8
Drupal
Drupal
added 2023/09/06 12:0 a.m.18 views

WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044

The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page. The abbrclass Twig filter can be used to bypass the Twig auto-escape feature. This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2023/08/30 12:0 a.m.7 views

Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041

This module makes PatternLab's custom Twig functions available to Drupal theming. The module's included examples don't sufficiently filter data. This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme...

5.6AI score
Exploits0References5
Drupal
Drupal
added 2023/08/30 12:0 a.m.15 views

Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042

This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have ...

6.6AI score
Exploits0References7
Drupal
Drupal
added 2023/08/23 12:0 a.m.3 views

Flexi Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-036

The Flexi Access module will provide a simple and flexible interface to the ACL Access Control List module. It will let you set up and mange ACLs naming individual users that are allowed access to a particular node. The module processes user input in a way that could be unsafe. This can lead to...

5.9AI score
Exploits0References7
Drupal
Drupal
added 2023/08/23 12:0 a.m.169 views

ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes. The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection. As this is an API module, it is only...

7.2AI score
Exploits0References9
Drupal
Drupal
added 2023/08/23 12:0 a.m.17 views

Data field - Moderately critical - Access bypass - SA-CONTRIB-2023-040

The Data Field module provides a way of building field types that are made up of other fields, a simpler alternative to e.g. the Paragraphs system. Access to these forms isn't properly validated, allowing a user with the "access content" permission to view and edit fields on entities...

6.7AI score
Exploits0References8
Drupal
Drupal
added 2023/08/23 12:0 a.m.11 views

SafeDelete - Moderately critical - Access bypass - SA-CONTRIB-2023-039

This module aims to prevent broken content references by informing content editors either on delete or archive moderation. The module provides an "orphaned content" report for broken references, which may reveal titles of unpublished content...

6.9AI score
Exploits0References8
Drupal
Drupal
added 2023/08/23 12:0 a.m.28 views

Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum AKA moderators. This module requires the...

7.2AI score
Exploits0References8
Drupal
Drupal
added 2023/08/23 12:0 a.m.14 views

Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site. The module doesn't sufficiently validate access when the JSONAPI module is also installed. This vulnerability is mitigated by the fact that it only affects sites...

6.8AI score
Exploits0References6
Drupal
Drupal
added 2023/08/23 12:0 a.m.16 views

Shorthand - Critical - Access bypass - SA-CONTRIB-2023-038

This module provides integration with Shorthand, an application which describes itself as "beautifully simple storytelling". The module does not check appropriate permissions when displaying a list of all shorthand stories...

6.9AI score
Exploits0References7
Drupal
Drupal
added 2023/08/02 12:0 a.m.20 views

Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033

This module enables you to add the Matomo web statistics tracking system to your website. The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website. This vulnerability is mitigated by the fact that an attacker must...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2023/07/26 12:0 a.m.18 views

Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031

The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions. This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2023/07/26 12:0 a.m.13 views

Minify Source HTML - Moderately critical - Cross site scripting - SA-CONTRIB-2023-032

Carefully crafted input by an attacker will not be sanitized by this module, which can result in a script injection...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2023/07/12 12:0 a.m.43 views

Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication. The module doesn't sufficiently ensure all core login routes, including the password reset page, require a second factor credential. This vulnerability is mitigated ...

7AI score
Exploits0References15
Drupal
Drupal
added 2023/06/28 12:0 a.m.21 views

TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029

This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The...

6AI score
Exploits0References8
Drupal
Drupal
added 2023/06/28 12:0 a.m.10 views

Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027

This module enables a UI to display all libraries provided by modules and themes on the Drupal site. The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission. The...

6.5AI score
Exploits0References6
Drupal
Drupal
added 2023/06/28 12:0 a.m.20 views

GDPR Alert - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-023

This module enables you to define configurable GDPR alert messages. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be...

6AI score
Exploits0References6
Drupal
Drupal
added 2023/06/28 12:0 a.m.13 views

GridStack - Less critical - Cross Site Scripting - SA-CONTRIB-2023-024

This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI. The module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact th...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2023/06/28 12:0 a.m.16 views

Mailchimp - Critical - Cross Site Request Forgery - SA-CONTRIB-2023-025

This module provides integration with Mailchimp, a popular email delivery service. A route related to OAuth authentication is not protected against a Cross Site Request Forgery attack...

7.1AI score
Exploits0References7
Drupal
Drupal
added 2023/06/28 12:0 a.m.13 views

Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026

This module enables you to use complex autocompletion in forms. The module doesn't sufficiently filter text in the data it exposes, allowing a malicious user to enter specially crafted tags to exploit a Cross Site Scripting XSS attack. This vulnerability is mitigated by the fact that an attacker...

6AI score
Exploits0References7
Drupal
Drupal
added 2023/06/28 12:0 a.m.5 views

Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028

This module enables you to render a field in an expandable/collapsible region. The module doesn't sufficiently sanitize the field content when displaying it to an end user. This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the fiel...

5.6AI score
Exploits0References8
Drupal
Drupal
added 2023/06/21 12:0 a.m.348 views

Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022

This module enables you to create and manage photos and photo albums on your website. The module doesn't sufficiently check node access when a user is provided the "edit any photo" or "delete any photo" permissions. This vulnerability is mitigated by the fact that an attacker must have a role wit...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2023/06/21 12:0 a.m.17 views

Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021

CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation. The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that t...

5.9AI score
Exploits0References6
Drupal
Drupal
added 2023/06/14 12:0 a.m.19 views

Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020

This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability...

6AI score
Exploits0References4
Drupal
Drupal
added 2023/05/31 12:0 a.m.23 views

AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018

This module provides social media share & follow buttons. The module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block. This vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific...

6.8AI score
Exploits0References5
Drupal
Drupal
added 2023/05/31 12:0 a.m.14 views

Consent Popup - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-017

The Consent Popup provides a configurable popup that requires acceptance of a question before the visitor can continue, typically used for age consent. The module doesn't sufficiently sanitizes the text on the block leading to a cross site scripting XSS vulnerability. This vulnerability is...

6AI score
Exploits0References6
Drupal
Drupal
added 2023/05/31 12:0 a.m.20 views

Iubenda Integration - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-016

The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered. The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting XSS vulnerability. Th...

5.8AI score
Exploits0References5
Drupal
Drupal
added 2023/05/31 12:0 a.m.20 views

AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019

This module provides social media share & follow buttons. The module doesn't sufficiently restrict AddToAny block settings to users who have permission to administer AddToAny. This allows users with lower permission to configure malicious code leading to a Cross Site Scripting XSS vulnerability...

6.1AI score
Exploits0References7
Drupal
Drupal
added 2023/05/17 12:0 a.m.25 views

File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015

The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox. This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery SSRF vulnerability leading to Information Disclosure. I...

7.4AI score
Exploits0References6
Drupal
Drupal
added 2023/05/03 12:0 a.m.7 views

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014

S3 File System s3fs provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service S3 or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web...

5.6AI score
Exploits0References4
Drupal
Drupal
added 2023/04/19 12:0 a.m.135 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your...

6.5CVSS6.5AI score0.0054EPSS
Exploits0References25
Total number of security vulnerabilities1940