This module provides a new UI experience for node editing - Gutenberg editor.
The routes used by the Gutenberg editor lack proper permissions allowing untrusted users to view and modify some content they should not be able to view or modify.
This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes.
The vulnerability is mitigated by the fact that the submodule Permissions by Entity must also be enabled.
This module allows you to attach tabular data to an entity.
There is insufficient access checking for users with the ability to "Export Tablefield Data as CSV". They can export data from unpublished nodes or otherwise inaccessible entities.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Export Tablefield Data as CSV".
This module enables you to have a separate permission only for creating users.
The module doesn't respect Drupal's setting for "Who can register accounts?" when set to "Visitors, but administrator approval is required".
When this option is chosen, the module overrides the setting, and makes it possible to register accounts with no approval.
This vulnerability can be mitigated by having other settings in place for account registration, such as requiring email verification for new accounts, or permitting account creation for "Administrators only".
8 years later that is still the policy of the Drupal Security team. As Drupal core and modules leverage 3rd party code more and more it seems like an important time to remind site owners that they are responsible for monitoring security of 3rd party libraries. Here is the advice from 2011 which is even more relevant today:
Forms Steps provides an UI to create form workflows using form modes. It creates quick and configurable multisteps forms.
The module doesn't sufficiently check user permissions to access its workflows entities that allows to see any entities that have been created through the different steps of its multistep forms.
This vulnerability is mitigated by the fact that you have to know the Forms Steps URL to create a content linked to the flow. Also, all created content is very hard to edit through the same flow as you have to know the URL and the linked hash to the content.