Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
•added 2023/04/12 12:0 a.m.•17 views

Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013

This module enables you to secure any page with a password. The module does not sufficiently restrict access to the page content...

6.6AI score
Exploits0References6
Drupal
Drupal
•added 2023/03/29 12:0 a.m.•18 views

Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012

This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation. The module does not sufficiently sanitize some data presented in its reports. This vulnerability is mitigated by the fact that an attacker must have a role with...

6.5AI score
Exploits0References7
Drupal
Drupal
•added 2023/03/15 12:0 a.m.•32 views

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003

The language module provides a Language switcher block which can be placed to provide links to quickly switch between different languages. The URL of unpublished translations may be disclosed. When used in conjunction with a module like Pathauto, this may reveal the title of unpublished content...

1.2AI score
Exploits0References13
Drupal
Drupal
•added 2023/03/15 12:0 a.m.•25 views

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002

The Media module does not properly check entity access in some circumstances. This may result in users seeing thumbnails of media items they do not have access to, including for private files. This release was coordinated with SA-CONTRIB-2023-010. This advisory is not covered by Drupal Steward...

3.1AI score
Exploits0References14
Drupal
Drupal
•added 2023/03/15 12:0 a.m.•18 views

Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
•added 2023/03/15 12:0 a.m.•16 views

Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010

The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image. This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to. This release was coordinated...

6.6AI score
Exploits0References10
Drupal
Drupal
•added 2023/03/15 12:0 a.m.•154 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004

Drupal core provides a page that outputs the markup from phpinfo to assist with diagnosing PHP configuration. If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the...

1.9AI score
Exploits0References16
Drupal
Drupal
•added 2023/03/08 12:0 a.m.•11 views

Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009

This module provides a new UI experience for node editing - Gutenberg editor. This vulnerability can cause DoS by using reusable blocks improperly. This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it...

6.5AI score
Exploits0References6
Drupal
Drupal
•added 2023/03/01 12:0 a.m.•19 views

Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007

Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thundergqls module which provides a graphql interface. The module doesn't sufficiently check access when serving user data via graphql leading to an access bypass vulnerability potentially exposing...

6.7AI score
Exploits0References7
Drupal
Drupal
•added 2023/03/01 12:0 a.m.•15 views

Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008

This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics...

6.7AI score
Exploits0References5
Drupal
Drupal
•added 2023/03/01 12:0 a.m.•15 views

Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006

This module enables you to add social sharing buttons to a site. The module doesn't sufficiently sanitize the weight and ratio values entered in the module or block configuration. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks"...

6.4AI score
Exploits0References5
Drupal
Drupal
•added 2023/02/01 12:0 a.m.•17 views

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2023-005

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. Previous module versions did not support entity query level access checking, which could have led to information disclosure or access bypass in various places...

6.1AI score
Exploits0References4
Drupal
Drupal
•added 2023/01/18 12:0 a.m.•17 views

Media Library Block - Moderately critical - Information Disclosure - SA-CONTRIB-2023-003

The Media Library Block module allows you to render a media entity in a block. The module does not properly check media access in some circumstances. This may result in unauthorized users including anonymous users seeing media items they are not authorized to access if a block containing a...

6.3AI score
Exploits0References9
Drupal
Drupal
•added 2023/01/18 12:0 a.m.•17 views

Media Library Form API Element - Moderately critical - Information Disclosure - SA-CONTRIB-2023-004

This module enables you to use the media library in custom forms without the Media Library Widget. The module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The...

6.5AI score
Exploits0References10
Drupal
Drupal
•added 2023/01/18 12:0 a.m.•69 views

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001

The Media Library module does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about media items they are not authorized to access. The vulnerability is mitigated by the fact that the inaccessible media will only be visib...

4.6AI score
Exploits0References14
Drupal
Drupal
•added 2023/01/18 12:0 a.m.•17 views

Entity Browser - Moderately critical - Information Disclosure - SA-CONTRIB-2023-002

The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget. Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not...

6.5AI score
Exploits0References8
Drupal
Drupal
•added 2023/01/11 12:0 a.m.•8 views

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

This module enables users to create 'private' vocabularies. The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View...

5.6AI score
Exploits0References7
Drupal
Drupal
•added 2022/12/14 12:0 a.m.•6 views

H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

This module enables you to create interactive content. The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In...

5.6AI score
Exploits0References5
Drupal
Drupal
•added 2022/12/14 12:0 a.m.•20 views

File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065

The File Field Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names. The module's default configuration could temporarily expose private files to anonymous visitors. Important note: to fix...

6.4AI score
Exploits0References12
Drupal
Drupal
•added 2022/12/07 12:0 a.m.•17 views

Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

This module enables you to create registration entities related to nodes. The module doesn't sufficiently restrict update access to a user's own registrations. This vulnerability is mitigated by the fact that an attacker must have the "update own registration type" permission...

6.5AI score
Exploits0References6
Drupal
Drupal
•added 2022/11/30 12:0 a.m.•18 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061

Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations. In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only secret" visibility, community groups are visible to anonymous use...

6.3AI score
Exploits0References9
Drupal
Drupal
•added 2022/11/30 12:0 a.m.•18 views

Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060

The Social Base theme is designed as a base theme for Open Social. This base theme holds has a lot of sensible defaults. It doesn't however contain much styling. We expect developers to want to change this for their own project. When content within the Open Social distribution is placed within a...

6.4AI score
Exploits0References8
Drupal
Drupal
•added 2022/11/30 12:0 a.m.•17 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062

Social Private Message module allows users on the platform to allow users to send private messages to each other. The module does not properly perform the correct access checks for certain operations...

6.7AI score
Exploits0References7
Drupal
Drupal
•added 2022/10/19 12:0 a.m.•21 views

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

This module enables you to build searches using a wide range of features, data sources and backends. The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups. This vulnerability is mitigated ...

6AI score
Exploits0References8
Drupal
Drupal
•added 2022/10/12 12:0 a.m.•21 views

Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058

This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions. The module doesn't sufficiently apply access restrictions when using the filters fieldlabel, fieldvalue,...

6.5AI score
Exploits0References6
Drupal
Drupal
•added 2022/09/28 12:0 a.m.•8 views

S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2022-057

This module enables you to utilize S3-compatible storage as a Drupal filesystem. The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket. This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary...

5.6AI score
Exploits0References6
Drupal
Drupal
•added 2022/09/28 12:0 a.m.•56 views

Drupal core - Critical - Multiple vulnerabilities - SA-CORE-2022-016

Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity. Drupal core's code extending Twig has also been updated to mitigate a related vulnerability. Multiple...

7.5CVSS1.7AI score0.01557EPSS
Exploits0References21
Drupal
Drupal
•added 2022/09/07 12:0 a.m.•22 views

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055

This module enables you to restrict content via taxonomy terms and related permissions. The module doesn't sufficiently restrict cached content in certain circumstances. This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module...

6.7AI score
Exploits0References13
Drupal
Drupal
•added 2022/09/07 12:0 a.m.•15 views

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

This module enables you to set content permissions based on taxonomy terms. The module doesn't sufficiently restrict access to translated and unpublished nodes. This vulnerability is mitigated by the fact that it only affects sites with translated content...

6.6AI score
Exploits0References7
Drupal
Drupal
•added 2022/09/07 12:0 a.m.•28 views

Next.js - Moderately critical - Access bypass - SA-CONTRIB-2022-054

The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site. The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal...

6.4AI score
Exploits0References7
Drupal
Drupal
•added 2022/08/24 12:0 a.m.•22 views

Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053

This module enables you to accept payments from the Elavon payment provider. The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon On-site payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment...

6.4AI score
Exploits0References6
Drupal
Drupal
•added 2022/08/10 12:0 a.m.•9 views

jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052

jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library which was previously in Drupal 8 core, but has since been removed from core and moved to this module. As part of the jQuery UI 1.13.2 update, the jQuery UI project...

6.1CVSS5.5AI score0.01933EPSS
Exploits1References7
Drupal
Drupal
•added 2022/07/27 12:0 a.m.•11 views

Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051

This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance. The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit...

6.3AI score
Exploits0References6
Drupal
Drupal
•added 2022/07/27 12:0 a.m.•17 views

PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050

This module enables you to generate PDF versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes...

6.7AI score
Exploits0References8
Drupal
Drupal
•added 2022/07/27 12:0 a.m.•7 views

Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049

This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction. This vulnerability is mitigated by the fact that an attacker mu...

5.5AI score
Exploits0References8
Drupal
Drupal
•added 2022/07/20 12:0 a.m.•52 views

Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013

Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to. No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules...

6.5CVSS2.4AI score0.0059EPSS
Exploits0References16
Drupal
Drupal
•added 2022/07/20 12:0 a.m.•37 views

Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015

The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. This advisory is not covere...

6.1CVSS3.3AI score0.00526EPSS
Exploits0References16
Drupal
Drupal
•added 2022/07/20 12:0 a.m.•39 views

Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However,...

7.5CVSS0.8AI score0.00667EPSS
Exploits0References19
Drupal
Drupal
•added 2022/07/20 12:0 a.m.•97 views

Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014

Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers. Drupal core sanitizes filenames with dangerous extensions upon upload reference: SA-CORE-2020-012 and strips leading and trailing dots from filenames to prevent uploading server configuration files reference:...

7.2CVSS1AI score0.01422EPSS
Exploits0References15
Drupal
Drupal
•added 2022/07/13 12:0 a.m.•18 views

Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048

This module enables you to generate print versions of content. Some installations of the module make use of the dompdf/dompdf third-party dependency. Security vulnerabilities exist for versions of dompdf/dompdf 2.0.0 See the library release notes for more detail:...

6.6AI score
Exploits0References10
Drupal
Drupal
•added 2022/06/29 12:0 a.m.•18 views

Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046

The Lottiefiles Field module enables you to integrate the lottiefiles features into your page. The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role...

5.6AI score
Exploits0References5
Drupal
Drupal
•added 2022/06/29 12:0 a.m.•23 views

Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047

This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration. The module doesn't sufficiently check access for the edit an...

6.3AI score
Exploits0References4
Drupal
Drupal
•added 2022/06/10 12:0 a.m.•42 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-011

Updated 22:00 UTC 2022-06-10: Added steps to update without drupal/core-recommended. Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released two security advisories: Failure to strip the Cookie header on change in host or HTTP...

0.1AI score
Exploits0References20
Drupal
Drupal
•added 2022/05/25 12:0 a.m.•52 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-010

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites. We are issuing this security advisory outside...

8.1CVSS0.4AI score0.01239EPSS
Exploits0References14
Drupal
Drupal
•added 2022/05/25 12:0 a.m.•13 views

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043

Open Social is a Drupal distribution for online communities. Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct...

6.2AI score
Exploits0References9
Drupal
Drupal
•added 2022/05/25 12:0 a.m.•116 views

Embed - Moderately critical - Cross-Site Request Forgery - SA-CONTRIB-2022-042

The Drupal Embed module provides a filter to allow embedding various embeddable items like entities in content fields. In certain circumstances, the filter could allow an unprivileged user to inject HTML into a page when it is accessed by a trusted user with permission to embed items. In some...

6.2AI score
Exploits0References7
Drupal
Drupal
•added 2022/05/25 12:0 a.m.•10 views

Apigee Edge - Moderately critical - Access bypass - SA-CONTRIB-2022-045

The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers user can view API keys for their respective Apps. The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for...

6.3AI score
Exploits0References3
Drupal
Drupal
•added 2022/05/25 12:0 a.m.•15 views

Entity Browser Block - Moderately critical - Access bypass - SA-CONTRIB-2022-044

Entity Browser Block provides a Block Plugin for every Entity Browser on your site. The module didn't sufficiently check entity view access in the block form. This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page o...

6.3AI score
Exploits0References5
Drupal
Drupal
•added 2022/05/18 12:0 a.m.•18 views

Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040

The Wingsuit module enables site builders to build UI Patterns and|or Twig Components with Storybook and use them without any mapping code in Drupal. The module doesn't have an access check for the admin form allowing an attacker to view and modify the Wingsuit configuration...

6.7AI score
Exploits0References4
Drupal
Drupal
•added 2022/05/04 12:0 a.m.•26 views

Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038

The module adds a "Clone" tab to a node. When clicked, a new node is created and fields from the previous node are populated into the new fields. This module supports paragraphs, groups, and other referenced entities. The module has a vulnerability which allows attackers to bypass the protection ...

6.6AI score
Exploits0References6
Total number of security vulnerabilities1940