The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Drupal Modules ~ not comprehensive

vulnerability announce 28752

Drupal Simple Hierarchical Select: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Drupal Simple Hierarchical Select, in order to force the victim to perform operations.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 14/03/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-038, VIGILANCE-VUL-28752.

Description of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Drupal Simple Hierarchical Select, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

vulnerability 28750

Drupal Views: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Views, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 14/03/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-036, VIGILANCE-VUL-28750.

Description of the vulnerability

The Views module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Views, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 28749

Drupal Views: information disclosure via Exposed Filters

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Exposed Filters of Drupal Views, in order to obtain sensitive information.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 14/03/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-035, VIGILANCE-VUL-28749.

Description of the vulnerability

An attacker can bypass access restrictions to data via Exposed Filters of Drupal Views, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 28748

Drupal Views: information disclosure via Argument Definitions Failing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Argument Definitions Failing of Drupal Views, in order to obtain sensitive information.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 14/03/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-034, DRUPAL-SA-CONTRIB-2019-035, VIGILANCE-VUL-28748.

Description of the vulnerability

An attacker can bypass access restrictions to data via Argument Definitions Failing of Drupal Views, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 28685

Drupal Ubercart: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Drupal Ubercart, in order to force the victim to perform operations.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 07/03/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-032, VIGILANCE-VUL-28685.

Description of the vulnerability

The Ubercart module can be installed on Drupal.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Drupal Ubercart, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 28684

Drupal voor Gemeenten: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Drupal voor Gemeenten, in order to escalate his privileges.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Consequences: privileged access/rights, data creation/edition.
Provenance: internet client.
Creation date: 07/03/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-031, VIGILANCE-VUL-28684.

Description of the vulnerability

An attacker can bypass restrictions of Drupal voor Gemeenten, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 28683

Drupal EU Cookie Compliance: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal EU Cookie Compliance, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive, IBM API Connect, I-Connect.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 07/03/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-033, ibm10878775, VIGILANCE-VUL-28683.

Description of the vulnerability

The EU Cookie Compliance module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal EU Cookie Compliance, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 28624

Drupal Rabbit Hole: information disclosure

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of Drupal Rabbit Hole, in order to obtain sensitive information.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 28/02/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-029, VIGILANCE-VUL-28624.

Description of the vulnerability

An attacker can bypass access restrictions to data of Drupal Rabbit Hole, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin 28623

Drupal Facets: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Facets, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 28/02/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-030, VIGILANCE-VUL-28623.

Description of the vulnerability

The Facets module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Facets, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 28622

Drupal Context: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Context, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 28/02/2019.
Identifiers: DRUPAL-SA-CONTRIB-2019-028, VIGILANCE-VUL-28622.

Description of the vulnerability

The Context module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Context, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Drupal Modules ~ not comprehensive: