The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Drupal Modules ~ not comprehensive

computer vulnerability alert 26706

Drupal Tapestry: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Tapestry, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 12/07/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-051, VIGILANCE-VUL-26706.

Description of the vulnerability

The Tapestry module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Tapestry, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability 26705

Drupal litejazz: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal litejazz, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 12/07/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-050, VIGILANCE-VUL-26705.

Description of the vulnerability

The litejazz module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal litejazz, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note 26704

Drupal NewsFlash: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal NewsFlash, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 12/07/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-049, VIGILANCE-VUL-26704.

Description of the vulnerability

The NewsFlash module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal NewsFlash, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin 26703

Drupal Beale Street: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Beale Street, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 12/07/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-048, VIGILANCE-VUL-26703.

Description of the vulnerability

The Beale Street module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Beale Street, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce 26702

Drupal EU Cookie Compliance: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal EU Cookie Compliance, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 12/07/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-047, VIGILANCE-VUL-26702.

Description of the vulnerability

The EU Cookie Compliance module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal EU Cookie Compliance, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert 26701

Drupal Commerce Custom Order Status: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Commerce Custom Order Status, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 12/07/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-046, VIGILANCE-VUL-26701.

Description of the vulnerability

The Commerce Custom Order Status module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Commerce Custom Order Status, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note 26624

Drupal Universally Unique IDentifier: file upload

Synthesis of the vulnerability

An attacker can upload a malicious file on Drupal Universally Unique IDentifier, in order for example to upload a Trojan.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 05/07/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-045, VIGILANCE-VUL-26624.

Description of the vulnerability

The Universally Unique IDentifier module can be installed on Drupal.

It can be used to upload a file. However, this file can be uploaded in an arbitrary directory on the server, and then executed.

An attacker can therefore upload a malicious file on Drupal Universally Unique IDentifier, in order for example to upload a Trojan.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note 26099

Drupal SVG Formatter: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal SVG Formatter, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 11/05/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-027, VIGILANCE-VUL-26099.

Description of the vulnerability

The SVG Formatter module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal SVG Formatter, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce 25992

Drupal JSON API: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Drupal JSON API, in order to force the victim to perform operations.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 26/04/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-021, VIGILANCE-VUL-25992.

Description of the vulnerability

The JSON API module can be installed on Drupal.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Drupal JSON API, in order to force the victim to perform operations.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert 25931

Drupal Display Suite: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Display Suite, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 19/04/2018.
Identifiers: DRUPAL-SA-CONTRIB-2018-019, VIGILANCE-VUL-25931.

Description of the vulnerability

The Display Suite module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Display Suite, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Drupal Modules ~ not comprehensive: