Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.
This module allows users to export nodes and then import it into another Drupal installation, or on the same site.
In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which could results in Remote Code Execution via PHP Object Injection.
This vulnerability is mitigated by the fact that an attack must operate with the permission "Use PHP to import nodes", however this could be the case if this issue were combined with others in an "attack chain".
The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).
This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the allow_insecure_uploads config.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "postfile upload".
The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).
The module doesn't sufficiently protect against Cross Site Request Forgery
under allowing an attacker to trick a site user into uploading a file.
Integrates your Drupal website with the Oh Dear monitoring app.
Cached data of monitoring results is accessible to non-logged in users when caching is enabled on the module.
This vulnerability is mitigated by the fact that it only affects sites where caching is enabled for OhDear report healthcheck endpoint. It is not enabled by default and there's no UI option to do it. It has to be done directly in the ohdear_integration.settings.yml.
