This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites.
The module doesn't sufficiently protect export routes from cross-site request forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into exporting an unwanted entity.
This module enables you to disable the standard Drupal login form (/user/login) so site owners can prevent interactive logins via the UI.
The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker (or legitimate user) with valid credentials can authenticate using the REST login endpoint (/user/login?_format=json) or other HTTP-based authentication routes, effectively bypassing the module’s protection of the UI login page.
This module enables integration between Next.js and Drupal for headless CMS functionality.
When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.
This vulnerability affects all installations as there are no configuration options to disable this behavior.
This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.
The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.
This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages.
The module doesn't sufficiently protect its confirmation routes from cross-site request forgery (CSRF), allowing the logout confirmation route to be triggered without user interaction.
This modules provides the ability to chat with an AI Agent using a large-language model (LLM) provider for different purposes.
The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting (XSS) vulnerability where an attacker can use prompt injections on user-generated content with the LLM as context.
The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration.
This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system.
This access bypass is possible for any account with a View published content permission, but the risk is mitigated by the fact that only images can be opened.
This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.
These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.
The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module.
In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.
