Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.
The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.
As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Details of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.
This module enables you to add the Matomo web statistics tracking system to your website.
The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured.
This module enables sites to comply with the European cookie law using tarteaucitron.js.
The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be exploited by an attacker with a role with the permission "administer tacjs" regardless of other configurations.
This module enables a UI to display all libraries provided by modules and themes on the Drupal site.
The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission.
The vulnerability/library information can be exploited by simply visiting/knowing the url of the reporting page. The solution is to protect the page via a module specific permission that must be granted by an administrative user.
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.