Security advisories

This module allows site builders to create so-called "theme_rule" config entities. These theme rules can render pages with different themes than the default when certain conditions match.

The module uses simple GET request to disable or enable theme rules, which allows attackers to disable or enable theme rules by tricking site administrators to click on links.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the theme rule.

This module enables you to integrate and manage icons with Drupal.

The module doesn't sufficiently sanitize user input leading to a reflected Cross-site Scripting (XSS) vulnerability.

The vulnerability is mitigated by the fact that in order to be vulnerable, the "UI Icons for CKEditor 5" submodule must be enabled.

Note: this SA was edited after release to correct the risk score; there is no user authentication requirement.

The Login Disable module prevents users from logging in to your Drupal site unless they know the access key to add to the end of the login form page.
( default: http://example.com/user/login?admin )
If they provide the access key and have a specific role they can log in.

The module does not check for the access key when using the HTTP request login route. It is possible to use this route to log in without providing the access key.

This Drupal Canvas module is a new visual page builder for Drupal. You can create reusable components that match your design system, drag them onto a page, edit content in place, preview changes across multiple pages, and undo mistakes with ease.

The module doesn't sufficiently validate access to Canvas Pages when they are unpublished.

This vulnerability is mitigated by the fact that Canvas Pages don't have content moderation enabled by default, and they must be unpublished after being released, and archiving is not a feature provided by the module yet.