Drupal 6 LTS vendor-provided support will end on October 22, 2022.
On February 24th, 2016, Drupal 6 was marked end-of-life (EOL). The Drupal 6 Long-Term-Support (LTS) program added more than 6 years of additional coverage for program participants and the community.
The GOV.UK Theme (govuk_theme) is a Drupal theme for the GOV.UK Design System.
The theme doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities or configuration may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target visitors of the site, including site admins with privileged access.
The vulnerability is mitigated by the facts, that:
This module provides an entity relationship hierarchy tree widget for an entity reference field.
The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.
The Quick Edit module does not properly check entity access in some circumstances. This could result in users with the "access in-place editing" permission viewing some content they are are not authorized to access.
Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed.
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
This module enables you to manage and delete files.
The module doesn't sufficiently protect unmanaged files from view under the scenario unauthenticated user knows path to visit the view and can attempt to delete files which results in duplicate files being created.
To mitigate this issue without deploying code, review all views that are based on Fancy File Delete and ensure they have an access control set to use the permission "administer unmanaged files entities".
