The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.
The module doesn't sufficiently control access for adding sections in the submodule.
This vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:
This module enables users to setup two-factor authentication (2FA) using authenticator apps for enhanced login security. The module alters the standard Drupal login form to use AJAX callbacks for handling authentication flow.
The module doesn't sufficiently validate authentication under specific conditions, allowing an attacker to log in as any account where they know the username.
This module enables you to integrate Google Tag Manager (GTM) into your Drupal site by allowing administrators to configure and embed GTM container snippets.
The module doesn't sufficiently sanitize the GTM container ID under the scenario where a user with the Administer gtm permission enters malicious input into the GTM-ID field. This value is directly inserted into a <script> tag, making the site vulnerable to Cross-site Scripting (XSS) attacks.
This module enables you to access an edit page for a config page.
The module doesn't sufficiently check the access permissions (hook_ENTITY_TYPE_access() wasn't taken into account).
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit ID config page" and that it only affects sites that have access restricted via the hook_ENTITY_TYPE_access() hook.
This module allows you to manage video media items using the COOKiES module (disabling external video elements). These elements will be enabled again, once the COOKiES banner is accepted.
The module doesn't sufficiently check whether to convert "data-src" attributes to "src" when their value might contain malicious content under the scenario, that module specific classes are set on the HTML element.
This module allows you to define custom attributes for a block. You can specify an attribute name to be added to the block in a predefined format.
The module does not sufficiently validate the provided attributes, which makes it possible to insert JavaScript event attributes such as onmouseover, onkeyup, etc. These attributes can execute JavaScript code when the page is rendered, leading to cross-site scripting (XSS) vulnerabilities.
The File Download enables you to allow users to download file and image entities directly using a custom field formatter. It also provides an optional submodule to count and display file downloads in Views, similar to how the core statistics module tracks content views.
The File Download module does not properly validate input when handling file access requests. This can allow users to bypass protections and access private files that should not be publicly available.
