The Flag attendance field module gives you the ability to add attendance by depending on Flag module.
flag_attendance_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an object injection vulnerability when the data are unserialized.
The Formatter Field module provides a mechanism for specifying a formatter and formatter settings to be used for displaying a field, on a per-entity basis.
formatter_field stores some data as PHP-serialized strings. In some situations, malicious data can be written directly to the field. This can lead to an Object Injection vulnerability when the data are unserialized.
The security team is marking the Composer module for Drupal project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#s-becoming-owner-maintainer-or-co-mai...
The Examples for Developers project aims to provide high-quality, well-documented API examples for a broad range of Drupal core functionality.
The "Read from a file" feature implemented by the file_example submodule can be used to expose any file that PHP can access. Therefore, the file_example sub-module is being removed from Examples for Developers until a version demonstrating file security best practices can be added back in the future. Developers who based a new module on this example should review their code for an access bypass.
This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets.
The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability that may allow attackers to execute arbitrary JavaScript in the context of the user’s session.
The vulnerability is mitigated by the fact an attacker must have a role with permission to create or edit taxonomy terms in a vocabulary.
This module provides spam protection using the CleanTalk cloud service.
The module doesn't sufficiently sanitize API response messages before rendering them in HTML output. The _cleantalk_die() and ct_die() functions output the CleanTalk API response message directly into HTML without proper sanitization, allowing potential injection of arbitrary HTML or JavaScript.
The module doesn't sufficiently sanitize customer comments in the order receipt email template; this could be exploited to achieve Cross-site Scripting (XSS).
This vulnerability is mitigated by the fact that it only affects installations with Checkout (commerce_checkout) enabled, and the "Comments" checkout pane (id: customer_comments) is explicitly used, which is disabled by default.
