Lucene search
K
DrupalRecent

1940 matches found

Drupal
Drupal
added 2022/05/04 12:0 a.m.11 views

Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034

This module enables you to add URL fields to entity types with a variety of options. The module doesn't sufficiently filter output when token processing is disabled on an individual field. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2022/05/04 12:0 a.m.21 views

Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036

Image Field Caption imagefieldcaption adds an extra text area for captions on image fields. The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting XSS vulnerability. The vulnerability is mitigated by several permissions, of which at least some are commonly...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2022/05/04 12:0 a.m.16 views

Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035

Doubleclick for Publishers DFP module enables a site to place ads from Doubleclick For Publishers. The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting XSS vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a...

6AI score
Exploits0References6
Drupal
Drupal
added 2022/05/04 12:0 a.m.6 views

Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039

The security team is marking this project unsupported. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

5.5AI score
Exploits0References2
Drupal
Drupal
added 2022/04/20 12:0 a.m.42 views

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter...

7.5CVSS3.8AI score0.00568EPSS
Exploits0References8
Drupal
Drupal
added 2022/04/20 12:0 a.m.40 views

Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009

Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual...

5.4CVSS2.8AI score0.00423EPSS
Exploits0References10
Drupal
Drupal
added 2022/04/12 12:0 a.m.21 views

Rename Admin Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-033

The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs. The risk is mitigated by the fact that, even though the attacker can bypass the...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2022/03/30 12:0 a.m.19 views

Anti-Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032

This module provides integration with the CleanTalk spam protection service. The module does not properly filter data in certain circumstances. Update: 2022-03-31 - fix release node links...

6.8AI score
Exploits0References7
Drupal
Drupal
added 2022/03/23 12:0 a.m.14 views

Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported This module was...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/03/23 12:0 a.m.25 views

Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An...

6.4AI score
Exploits0References6
Drupal
Drupal
added 2022/03/21 12:0 a.m.43 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006

Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. We are issuing this security advisory outside our regular Drupal security release window schedule since Guzzle has...

7.5CVSS0.3AI score0.02384EPSS
Exploits0References13
Drupal
Drupal
added 2022/03/16 12:0 a.m.48 views

Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content even without...

7.5CVSS1.3AI score0.02448EPSS
Exploits0References14
Drupal
Drupal
added 2022/03/09 12:0 a.m.15 views

Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029

This module is used as part of the Opigno LMS distribution and implements learning paths for the LMS. The module was providing too much user information about users such as the list of groups a uid is in...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2022/03/09 12:0 a.m.14 views

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028

SVG Formatter module provides support for using SVG images on your website. Our dependency library enshrined/svg-sanitize has a cross-site scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with permission that enables them to upload SVG images...

6AI score
Exploits0References8
Drupal
Drupal
added 2022/02/23 12:0 a.m.73 views

GOV.UK Theme - Moderately critical - Cross site scripting - SA-CONTRIB-2022-027

The GOV.UK Theme govuktheme is a Drupal theme for the GOV.UK Design System. The theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting XSS vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more...

6.4AI score
Exploits0References5
Drupal
Drupal
added 2022/02/23 12:0 a.m.15 views

Entity Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-026

This module provides an entity relationship hierarchy tree widget for an entity reference field. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to...

6.3AI score
Exploits0References6
Drupal
Drupal
added 2022/02/16 12:0 a.m.66 views

Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003

Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter...

7.5CVSS4.1AI score0.01266EPSS
Exploits0References14
Drupal
Drupal
added 2022/02/16 12:0 a.m.61 views

Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004

The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access. Sites are only affected if the QuickEdit module which comes with the Standard...

6.5CVSS2.5AI score0.00769EPSS
Exploits0References18
Drupal
Drupal
added 2022/02/16 12:0 a.m.13 views

Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025

This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some conten...

6.4AI score
Exploits0References15
Drupal
Drupal
added 2022/02/09 12:0 a.m.14 views

Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission...

6.3AI score
Exploits0References5
Drupal
Drupal
added 2022/02/09 12:0 a.m.14 views

Fancy File Delete - Moderately critical - Access Bypass - SA-CONTRIB-2022-023

This module enables you to manage and delete files. The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created. To mitigate this issue without...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2022/01/26 12:0 a.m.4 views

Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

This module enables users to create 'private' vocabularies. The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module. Partial mitigation is available by requiring users have been...

5.6AI score
Exploits0References6
Drupal
Drupal
added 2022/01/25 12:0 a.m.6 views

Exif - Critical - Remote code execution - SA-CONTRIB-2022-015

This module enables you to automatically scan images uploaded to the site to extract their meta data and store it in taxonomy structures. The module doesn't sufficiently protect against malicious files being used to attack the site. This vulnerability is mitigated by the fact that an attacker mus...

5.4AI score
Exploits0References9
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011

This module provides a very simple, mobile-friendly navigation toolbar. The module doesn't sufficiently check for user-provided input. This vulnerability is mitigated by the fact that an attacker must have the ability to post content using a text format like the default "Filtered HTML" format tha...

6.5AI score
Exploits0References4
Drupal
Drupal
added 2022/01/25 12:0 a.m.17 views

Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022

Update 2022-05-31. A past and new maintainers have created a fix and new releases which include fixes for the security issue that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by...

6.6AI score
Exploits0References3
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.13 views

Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.12 views

Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Rate - Critical - Unsupported - SA-CONTRIB-2022-010

2022-01-31 - a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read:...

6.8AI score
Exploits0References3
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020

Update 2022-05-04: Existing maintainers have updated the project to clarify that the module did not contain a security issue that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by...

6.6AI score
Exploits0References4
Drupal
Drupal
added 2022/01/25 12:0 a.m.14 views

Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.16 views

Vendor Stream Wrapper - Moderately critical - Unsupported - SA-CONTRIB-2022-019

This module provides a stream wrapper for files located in the vendor directory. Even when the vendor directory is moved outside the webroot, it allows providing publically accessible URLs to these files. The module exposes all files that are in the vendor directory, without a site owner's...

6.6AI score
Exploits0References6
Drupal
Drupal
added 2022/01/25 12:0 a.m.7 views

Expire reset password link - Critical - Unsupported - SA-CONTRIB-2022-009

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.15 views

Vocabulary Permissions Per Role - Critical - Access bypass - SA-CONTRIB-2022-016

Update Maintainers stepped forward, fixed the security issue, and Vocabulary Permissions Per Role is supported again. The module allows adding to/editing terms of/removing terms from vocabularies per role. The module did not properly check access for certain operations allowing an unauthorized...

6.7AI score
Exploits0References6
Drupal
Drupal
added 2022/01/25 12:0 a.m.18 views

Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006

Update 2022-03-01. New maintainers have volunteered for the project and created a new release which includes fixes for the 3 security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has n...

6.7AI score
Exploits0References3
Drupal
Drupal
added 2022/01/25 12:0 a.m.18 views

Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007

Updated 2022-02-02: New maintainers have volunteered for the project and created new releases which includes fixes for the security issues that caused the module to be unsupported. The security team is marking this project unsupported. There is a known security issue with the project that has not...

6.9AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.38 views

Admin Toolbar Search - Critical - Unsupported - SA-CONTRIB-2022-008

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.14 views

Cog - Critical - Unsupported - SA-CONTRIB-2022-018

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/25 12:0 a.m.12 views

Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466procedure---own-project---unsupported...

6.6AI score
Exploits0References2
Drupal
Drupal
added 2022/01/19 12:0 a.m.74 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issu...

6.5CVSS1AI score0.44515EPSS
Exploits2References14
Drupal
Drupal
added 2022/01/19 12:0 a.m.50 views

jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004

jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core. jQuery UI was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, an...

6.5CVSS6.2AI score0.42229EPSS
Exploits2References7
Drupal
Drupal
added 2022/01/19 12:0 a.m.122 views

Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002

jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. In addition to the issue covered by SA-CORE-2022-001, further security...

6.5CVSS0.8AI score0.42229EPSS
Exploits4References10
Drupal
Drupal
added 2022/01/05 12:0 a.m.14 views

Super Login - Critical - Access bypass - SA-CONTRIB-2022-001

This module enables you to login with an email address. The module doesn't sufficiently check if a user account is active when using email login. This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked...

6.5AI score
Exploits0References5
Drupal
Drupal
added 2022/01/05 12:0 a.m.13 views

Wysiwyg - Moderately critical - Cross site scripting - SA-CONTRIB-2022-003

This module enables you to integrate various What-You-See-Is-What-You-Get WYSIWYG rich text editors into Drupal fields with text formats allowing markup for easier editing. The module doesn't sufficiently sanitize user input before attaching a WYSIWYG editor to an input field such as a textarea. ...

5.8AI score
Exploits0References10
Drupal
Drupal
added 2022/01/05 12:0 a.m.28 views

Simple OAuth (OAuth2) & OpenID Connect - Moderately critical - Access bypass - SA-CONTRIB-2022-002

This module enables you to implement OAuth 2.0 authentication for Drupal. The module doesn't sufficiently verify client secret keys for "confidential" OAuth 2.0 clients when using certain grant types. The token refresh and client credentials grants are not affected. This vulnerability is mitigate...

6.2AI score
Exploits0References10
Drupal
Drupal
added 2021/12/22 12:0 a.m.16 views

Mail Login - Moderately critical - Access bypass - SA-CONTRIB-2021-047

This modules enables users to login via email address. This module does not sufficiently check user status when authenticating...

6.6AI score
Exploits0References10
Drupal
Drupal
added 2021/12/08 12:0 a.m.18 views

Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046

This module enables you to create simple search pages based on Search API without the use of Views. The module doesn’t sufficiently escape all variables provided for custom templates. This vulnerability is mitigated by the fact that the default template provided by the module is not affected...

6.7AI score
Exploits0References7
Drupal
Drupal
added 2021/12/08 12:0 a.m.29 views

Webform - Critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-045

Access Bypass: This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently check access for administrative features for webforms attached to nodes using the Webform Node module. This may reveal submitted data or allow an attacker to modify submitted data...

6.6AI score
Exploits0References11
Drupal
Drupal
added 2021/11/17 12:0 a.m.14 views

OpenID Connect Microsoft Azure Active Directory client - Moderately critical - Access Bypass - SA-CONTRIB-2021-044

This module enables users to authenticate through their Microsoft Azure AD account. The module does not sufficiently check authorization before updating user profile information in certain non-default configurations. This could lead a user being able to hijack another existing account. This...

6.1AI score
Exploits0References8
Drupal
Drupal
added 2021/11/17 12:0 a.m.45 views

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2021-011

The Drupal project uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal, along with a hotfix for that update. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can...

8.2CVSS6.1AI score0.0147EPSS
Exploits0References16
Total number of security vulnerabilities1940