Security advisories for third-party projects that are not part of Drupal core - this includes all modules, themes, and installation profiles that have been contributed by a community member. These posts by the Drupal security team are also sent to the security announcements e-mail list.

Mosaik - Moderately critical - Cross-site scripting - SA-CONTRIB-2017-080


The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces.

The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mosaik".

Brilliant Gallery - Highly critical - Multiple Vulnerabilities - SA-CONTRIB-2017-079


This module enables you to display any number of galleries based on images located in the files folder.

The module doesn't sufficiently sanitize various database queries which may allow attackers to craft requests resulting in an SQL injection vulnerability. This vulnerability could be exploited even by anonymous users and could potentially allow them to take over the site.

The module doesn't sufficiently confirm a user's intent to save checklist data, which allows for a cross-site request forgery (CSRF) exploit to be executed by unprivileged users.

Yandex.Metrics - Moderately critical - Cross site scripting - SA-CONTRIB-2017-78


The Yandex.Metrics module allows you to look for key indicators of your site effectiveness.

The module doesn't sufficiently let users know a setting page should not be given to untrusted users.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer Yandex.Metrics settings."

Edited October 19, 2017 to add a note about checking permissions.

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077


The netFORUM Authentication module implements external authentication for users against netFORUM.

The module does not correctly use flood control making it susceptible to brute force attacks.

Skype Status - Moderately Critical - Cross Site Scripting - DRUPAL-SA-CONTRIB-2017-076

Page Access - Unsupported - SA-CONTRIB-2017-75

  • Advisory ID: DRUPAL-SA-CONTRIB-2017-75
  • Project: Page Access (third-party module)
  • Date: 20-September-2017

Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074

CAPTCHA - Moderately Critical - Denial of Service - SA-CONTRIB-2017-073

Clientside Validation - Critical - Arbitary PHP Execution - DRUPAL-SA-CONTRIB-2017-072


Subscribe with RSS Subscribe to Security advisories for contributed projects