The Mailhandler module enables you to create nodes by email.
The Mailhandler module does not validate file attachments. By sending a correctly crafted e-mail to a mailhandler mailbox an attacker can execute arbitrary code.
The vulnerability applies to any active mailhandler mailbox, whether or not attachments are mapped to a field.
This module provides a way to make carousels, based on bootstrap-carousel.js.
The module doesn't sufficiently handle output of img HTML tag's alt property.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Carousel: Create new content" or any similar node module permissions for creating/editing/removing the module-delivered content type.
This module enables sites to manage public clouds like Amazon EC2 and also private clouds like OpenStack.
The module doesn't sufficiently protect the deletion of audit reports, thereby exposing a cross-site request vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted deletion of audit reports.
This vulnerability is mitigated by the fact that the victim must have a role with the permission "access audit report".
MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue.
The modules have an access bypass vulnerability which allows untrusted users (including anonymous users) to view payments made by users within the system. No data can be modified, nor are any credit card numbers displayed.
This module enables you to integrate the Domain module with other popular Drupal modules. The Domain Integration Login Restrict sub-module enables you to restrict access to a domain based on the assigned domains on a user.
The Domain Integration Login Restrict sub-module doesn't sufficiently check these restrictions when using one-time logins.
This vulnerability is mitigated by the fact that an attacker must have an active account on one of the domains.
Custom Permissions is a lightweight module that allows permissions to be created and managed through an administrative form.
When this module is in use, any user who is able to perform an action which rebuilds some of Drupal's caches can trigger a scenario in which certain pages protected by this module's custom permissions temporarily lose those custom access controls, thereby leading to an access bypass vulnerability.
The Permissions by Term module extends Drupal by adding functionality for restricting access to single nodes via taxonomy terms.
The module grants access to nodes that are being blocked by other node access modules and that the Permissions by Term module does not intend to control. Additionally, it grants access to unpublished nodes in node listings to users who should not be able to see them. These problems lead to an access bypass vulnerability.
This module provides a site administrator the ability to log users out after a specified time of inactivity. It is highly customizable and includes "site policies" by role to enforce log out.
The module does not sufficiently filter user-supplied text that is stored in the configuration, resulting in a persistent Cross Site Scripting vulnerability (XSS).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".
The Mosaik module enables you to create pages or complex blocks in Drupal with the logic of a real mosaic and its pieces.
The module doesn't sufficiently sanitize the titles of fieldsets on its administration pages or the titles of blocks that it creates. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer mosaik".
