This module enables you to collect feedback from your site visitors on content pages, allowing them to optionally attach a free-text comment to their Yes/No vote.
The module doesn't sufficiently verify authorization over the targeted feedback record when processing a comment submission.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "give feedback". Note: "give feedback" is granted to anonymous and authenticated by default on install.
This module enables you to collect feedback from your site visitors on content pages, presenting Yes/No buttons and providing dashboards for administrators to review the responses.
The module doesn't sufficiently sanitize several administrator-configured response messages (the "Yes response", "No response", and the custom text shown on a "No" answer) under the scenario where those settings contain HTML or script markup, which is then emitted as raw HTML in the feedback response shown to visitors.
The JSON:API and REST modules allow you to upload image files to image fields.
The validation rules check the file extension of the uploaded file but not the file MIME type. This may allow a malicious user to upload a file that is not an image.
Certain web-server configurations may serve the uploaded file with its actual MIME type rather than an image type. This may lead to cross-site scripting (XSS) or other unexpected behavior.
Drupal core ships a rebuild.php front controller that can be used to rebuild Drupal (clearing the caches and rebuilding the container) when the site is in an unexpected condition.
This script doesn't correctly check the Host header against the list of trusted host patterns. This could result in cache poisoning or a redirect to an attacker-controlled domain.
Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application deserializes untrusted data due to another vulnerability.
SA-CORE-2019-003 added protection for fields that store serialized data to disallow direct writes via web services.
The above fix did not cover all potential attack vectors for JSON:API. An attacker with appropriate JSON:API write permission could potentially inject a malicious payload in certain rare circumstances, potentially resulting in PHP Object Injection.
This vulnerability is mitigated by the fact that in order to be exploitable:
The Plotly.js Graphing module provides a fully customizable implementation of the open source Plotly.js graphing library.
The module stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.
The Flag attendance field module gives you the ability to add attendance by depending on Flag module.
flag_attendance_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.
The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis.
formatter_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.