The Tealium iQ Tag Management module provides Drupal integration with Tealium iQ.
tealiumiq stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.
The Salesforce Suite of modules integrates Drupal with Salesforce.
The Salesforce module does not properly validate the OAuth handshake during interactive authentication, allowing an attacker to hijack the authorization token and bind the site to an attacker's Salesforce account.
The optional Paragraphs Library module allows the reuse of paragraphs in multiple places.
The module doesn't sufficiently restrict access to direct child paragraphs of library items through API endpoints.
This vulnerability is mitigated by the fact the paragraphs_library module must be in use and general write access to paragraphs through another module must be allowed.
The optional Paragraphs Library module allows the reuse of paragraphs in multiple places.
The module doesn't sufficiently restrict access to unpublished library items in lists.
This vulnerability is mitigated by the fact the paragraphs_library module must be in use, and that an attacker must have access to a list of library items, such as a field with autocomplete suggestions or a view.
The module adds support for the mirador viewer in WissKI and enables annotations on images via the mirador viewer.
It does not sufficiently check the submitted parameters via a route and writes these to the session object without further checks, which can lead to Access Bypass.
This vulnerability is mitigated by the fact that it is specific to the wisski_mirador submodule.
This module enables you to take payments through the Global Payments / Realex Hosted Payment Page (HPP), either via a lightbox iframe or via a full-page redirect.
When the gateway is configured with the redirect payment method, the module doesn't sufficiently verify the authenticity of the payment response returned by Global Payments.
The lightbox payment method validates the signature and is not affected, so sites that use the lightbox payment method are not affected.
This module provides the entity type and runtime for Drupal AI Agents, enabling agents to use tools.
Under certain circumstances, the agent inherits deterministic parameters when invoking the same tool in one request, which can lead to information disclosure.
This module enables you to utilize an agent to use Drupal core actions tools with bypassed access.
Certain Drupal core actions, exposed as agent tools did not have correct access validation, and some core actions were missing associated access-level definitions.
This vulnerability is mitigated by the fact that an attacker must have access to communicate with an affected agent, the site must be configured to expose the affected tools to non-privileged users.
