The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Drupal Modules ~ not comprehensive

computer vulnerability note 23839

Drupal Flag Clear: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Drupal Flag Clear, in order to force the victim to perform operations.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 14/09/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-074, VIGILANCE-VUL-23839.

Description of the vulnerability

The Flag Clear module can be installed on Drupal.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Drupal Flag Clear, in order to force the victim to perform operations.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability 23645

Drupal H5P: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal H5P, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 31/08/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-071, VIGILANCE-VUL-23645.

Description of the vulnerability

The H5P module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal H5P, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note 23644

Drupal Commerce Invoices: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal Commerce Invoices.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 31/08/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-070, VIGILANCE-VUL-23644.

Description of the vulnerability

Several vulnerabilities were announced in Drupal Commerce Invoices.

An attacker can use a SQL injection, in order to read or alter data. [severity:2/4]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert 23491

Drupal Facebook Like Button: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Facebook Like Button, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 10/08/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-066, VIGILANCE-VUL-23491.

Description of the vulnerability

The Facebook Like Button module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Facebook Like Button, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note 23489

Drupal Better Field Descriptions: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Better Field Descriptions, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 10/08/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-064, VIGILANCE-VUL-23489.

Description of the vulnerability

The Better Field Descriptions module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Better Field Descriptions, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin 23238

Drupal DrupalChat: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal DrupalChat.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 13/07/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-057, VIGILANCE-VUL-23238.

Description of the vulnerability

Several vulnerabilities were announced in Drupal DrupalChat.

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce 23137

Drupal DrupalChat: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal DrupalChat.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 06/07/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-057, VIGILANCE-VUL-23137.

Description of the vulnerability

Several vulnerabilities were announced in Drupal DrupalChat.

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note 23099

Drupal Services: SQL injection

Synthesis of the vulnerability

An attacker can use a SQL injection of Drupal Services, in order to read or alter data.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 29/06/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-054, VIGILANCE-VUL-23099.

Description of the vulnerability

The Drupal Services product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection of Drupal Services, in order to read or alter data.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce 23052

Drupal Search 404: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Search 404, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 22/06/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-053, VIGILANCE-VUL-23052.

Description of the vulnerability

The Search 404 module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Search 404, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin 22828

Drupal Site Verify: Cross Site Scripting

Synthesis of the vulnerability

A privileged attacker can trigger a Cross Site Scripting of Drupal Site Verify, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 29/05/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-051, VIGILANCE-VUL-22828.

Description of the vulnerability

The Site Verify module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

A privileged attacker can therefore trigger a Cross Site Scripting of Drupal Site Verify, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Drupal Modules ~ not comprehensive: