This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission.
The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user with the ability to delegate a role is also able to assign the administrator role, including to their own user.
This vulnerability is mitigated by the fact that an attacker must have access to a view of users with the Views Bulk Operations module enabled.
This module enables allows group managers to invite people into their group.
The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content.
This vulnerability is mitigated by the fact that it only occurs when certain uncommon actions are taken by a user with the permission to create group invites.
Http Client Manager introduces a new Guzzle based plugin which allows you to manage HTTP clients using Guzzle Service Descriptions via YAML, JSON or PHP files, in a simple and efficient way. The modules allows administrators to configure HTTP requests as part of Event Condition Action (ECA) automation.
The module does not sufficiently maintain separation of data from request operations, potentially leading to information disclosure in very uncommon situations.
This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites.
The module doesn't sufficiently protect export routes from cross-site request forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into exporting an unwanted entity.
This module enables you to disable the standard Drupal login form (/user/login) so site owners can prevent interactive logins via the UI.
The module does not sufficiently block authentication when the REST/HTTP login route is used. An attacker (or legitimate user) with valid credentials can authenticate using the REST login endpoint (/user/login?_format=json) or other HTTP-based authentication routes, effectively bypassing the module’s protection of the UI login page.
This module enables integration between Next.js and Drupal for headless CMS functionality.
When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.
This vulnerability affects all installations as there are no configuration options to disable this behavior.
This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.
The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.
This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages.
The module doesn't sufficiently protect its confirmation routes from cross-site request forgery (CSRF), allowing the logout confirmation route to be triggered without user interaction.
This modules provides the ability to chat with an AI Agent using a large-language model (LLM) provider for different purposes.
The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting (XSS) vulnerability where an attacker can use prompt injections on user-generated content with the LLM as context.
