The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Drupal Modules ~ not comprehensive

vulnerability bulletin 24303

Drupal Automated Logout: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Automated Logout, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 02/11/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-081, VIGILANCE-VUL-24303.

Description of the vulnerability

The Automated Logout module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Automated Logout, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce 24172

Drupal Yandex.Metrics: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Yandex.Metrics, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 19/10/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-78, VIGILANCE-VUL-24172.

Description of the vulnerability

The Yandex.Metrics module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Yandex.Metrics, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note 23889

Drupal Skype Status: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Skype Status, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 21/09/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-076, VIGILANCE-VUL-23889.

Description of the vulnerability

The Skype Status module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Skype Status, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note 23839

Drupal Flag Clear: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Drupal Flag Clear, in order to force the victim to perform operations.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 14/09/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-074, VIGILANCE-VUL-23839.

Description of the vulnerability

The Flag Clear module can be installed on Drupal.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Drupal Flag Clear, in order to force the victim to perform operations.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability 23645

Drupal H5P: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal H5P, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 31/08/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-071, VIGILANCE-VUL-23645.

Description of the vulnerability

The H5P module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal H5P, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note 23644

Drupal Commerce Invoices: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal Commerce Invoices.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 31/08/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-070, VIGILANCE-VUL-23644.

Description of the vulnerability

Several vulnerabilities were announced in Drupal Commerce Invoices.

An attacker can use a SQL injection, in order to read or alter data. [severity:2/4]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert 23491

Drupal Facebook Like Button: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Facebook Like Button, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 10/08/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-066, VIGILANCE-VUL-23491.

Description of the vulnerability

The Facebook Like Button module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Facebook Like Button, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note 23489

Drupal Better Field Descriptions: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Drupal Better Field Descriptions, in order to run JavaScript code in the context of the web site.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 10/08/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-064, VIGILANCE-VUL-23489.

Description of the vulnerability

The Better Field Descriptions module can be installed on Drupal.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Drupal Better Field Descriptions, in order to run JavaScript code in the context of the web site.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability bulletin 23238

Drupal DrupalChat: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal DrupalChat.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 13/07/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-057, VIGILANCE-VUL-23238.

Description of the vulnerability

Several vulnerabilities were announced in Drupal DrupalChat.

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce 23137

Drupal DrupalChat: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Drupal DrupalChat.
Impacted products: Drupal Modules ~ not comprehensive.
Severity: 2/4.
Creation date: 06/07/2017.
Identifiers: DRUPAL-SA-CONTRIB-2017-057, VIGILANCE-VUL-23137.

Description of the vulnerability

Several vulnerabilities were announced in Drupal DrupalChat.

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:2/4]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Drupal Modules ~ not comprehensive: