Joshua Brauer

**Name of the Vulnerable Software and Affected Versions** Privatemsg module versions 7.x-1.x before 7.x-1.3 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML via a user name in a private message. **Recommendations** For Privatemsg module versions 7.x-1.x before 7.x-1.3, update to version 7.x-1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Hashcash module versions 6.x-2.x before 6.x-2.6 Drupal Hashcash module versions 7.x-2.x before 7.x-2.2 **Description** A cross-site scripting (XSS) issue exists in the Hashcash module for Drupal. This occurs when the "Log failed hashcash" option is enabled, and an invalid token is not properly handled by the Database logging module, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For Drupal Hashcash module version 6.x-2.x, update to version 6.x-2.6 or later. For Drupal Hashcash module version 7.x-2.x, update to version 7.x-2.2 or later.

**Name of the Vulnerable Software and Affected Versions** Listhandler module versions 6.x-1.x before 6.x-1.1 for Drupal **Description** The issue concerns the Listhandler module for Drupal, where it fails to properly check permissions when importing emails. This allows remote comment authors to bypass access restrictions, potentially leading to unspecified impacts. **Recommendations** For Listhandler module versions 6.x-1.x before 6.x-1.1, update to version 6.x-1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Search Autocomplete module versions 7.x-2.x before 7.x-2.4 **Description** The issue allows remote attackers to disable an autocompletion or change the priority order due to improper access restriction to the module admin page. **Recommendations** For versions prior to 7.x-2.4, update to version 7.x-2.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drag & Drop Gallery module versions 6.x-1.5 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the directory specified by the `filedir` parameter. This is made possible by an unrestricted file upload vulnerability in the `upload.php` file. **Recommendations** For Drag & Drop Gallery module versions 6.x-1.5 and earlier, consider disabling the `upload.php` file or restricting file uploads to prevent exploitation until a fix is available. Restrict access to the directory specified by the `filedir` parameter to minimize the risk of arbitrary PHP code execution.

**Name of the Vulnerable Software and Affected Versions** Restrict node page view module versions 7.x-1.x before 7.x-1.2 **Description** The issue allows remote authenticated users with the `view any node page` or `view any node {type} page` permission to access unpublished nodes via a direct request. **Recommendations** For Restrict node page view module versions 7.x-1.x before 7.x-1.2, update to version 7.x-1.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Colorbox Node module versions 7.x-2.x before 7.x-2.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, which can lead to cross-site scripting (XSS) attacks. **Recommendations** For versions 7.x-2.x before 7.x-2.2, update to version 7.x-2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Security Questions module for Drupal versions 6.x-1.x before 6.x-1.1 Security Questions module for Drupal versions 7.x-1.x before 7.x-1.1 **Description** The issue allows remote attackers to edit an arbitrary user's questions and answers due to improper access restriction in the Security Questions module. **Recommendations** For Security Questions module for Drupal versions 6.x-1.x before 6.x-1.1, update to version 6.x-1.1 or later. For Security Questions module for Drupal versions 7.x-1.x before 7.x-1.1, update to version 7.x-1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Drag & Drop Gallery module versions 6.x **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For Drag & Drop Gallery module version 6.x, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Drag & Drop Gallery module version 6.x **Description** The issue allows remote attackers to bypass access restrictions. The attack vectors are unknown. **Recommendations** For version 6.x, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Drag & Drop Gallery module versions 6.x **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of administrators. **Recommendations** For Drag & Drop Gallery module version 6.x, update to a version that includes a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Drag & Drop Gallery module versions 6.x **Description** The issue allows remote attackers to execute arbitrary SQL commands. **Recommendations** For Drag & Drop Gallery module version 6.x, update to a version that includes a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Subuser module versions prior to 6.x-1.8 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of arbitrary users for requests that switch the user to a subuser. **Recommendations** For versions prior to 6.x-1.8, update to version 6.x-1.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Subuser module versions prior to 6.x-1.8 for Drupal **Description** The issue concerns the Subuser module for Drupal, where it fails to properly check `switch subuser` permissions. This allows remote authenticated parent users to change their role by switching to a subuser they created. **Recommendations** For versions prior to 6.x-1.8, update to version 6.x-1.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Better Revisions module versions 7.x-1.x before 7.x-1.1 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the administrative interface of the Better Revisions module for Drupal. This vulnerability allows remote authenticated users with the "administer better revisions" permission to inject arbitrary web script or HTML. **Recommendations** For Better Revisions module versions 7.x-1.x before 7.x-1.1, update to version 7.x-1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Elegant Theme module versions prior to 7.x-1.1 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the "3 slide gallery" of the Elegant Theme module. This allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via a slide URL. **Recommendations** For Elegant Theme module versions prior to 7.x-1.1, update to version 7.x-1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "3 slide gallery" feature for users with the "administer themes" permission until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Drupal Activism module versions 6.x-2.x before 6.x-2.1 **Description** The issue is related to improper access restriction to the "Campaign" content type, which could allow remote attackers to bypass access restrictions and potentially have other unspecified impacts. **Recommendations** For versions 6.x-2.x before 6.x-2.1, update to version 6.x-2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Hotblocks module versions 6.x-1.x before 6.x-1.8 **Description** A cross-site scripting (XSS) issue exists in the settings page of the Hotblocks module for Drupal, specifically at the 'admin/settings/hotblocks' endpoint. This allows remote authenticated users with the `administer hotblocks` permission to inject arbitrary web script or HTML via the `block names` variable. **Recommendations** For versions prior to 6.x-1.8, update to version 6.x-1.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Location module versions 6.x before 6.x-3.2 Drupal Location module versions 7.x before 7.x-3.0-alpha1 **Description** The issue allows remote attackers to read node or user results via the location search page due to improper checking of user or node access permissions. **Recommendations** For Drupal Location module versions 6.x before 6.x-3.2, update to version 6.x-3.2 or later. For Drupal Location module versions 7.x before 7.x-3.0-alpha1, update to version 7.x-3.0-alpha1 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal Secure Login module versions 7.x-1.x before 7.x-1.3 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the `q` parameter. This is due to an open redirect vulnerability in the `securelogin secure redirect` function. **Recommendations** For versions prior to 7.x-1.3, update to version 7.x-1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `securelogin secure redirect` function to minimize the risk of exploitation. Avoid using the `q` parameter in the affected API endpoint until the issue is resolved.