Stage File Proxy is a general solution for getting production files on a development server on demand.
The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them. An attacker could send many requests and exhaust disk resources.
This vulnerability is mitigated by the fact it only affects sites where the Origin is configured with a trailing slash. Sites that cannot upgrade immediately can confirm they do not have a trailing slash or remove the trailing slash to mitigate the issue.
Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages.
The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission.
Gif Player Field creates a simple file field types that allows you to upload the GIF files and configure the output for this using the Field Formatters.
The module uses GifPlayer jQuery library to render the GIF according to configured setups for the Field Formatter. The external Gif Player Library doesn't satinize the attributes properly when rendering the widget, allowing a malicious user to run XSS attacks.
This module enables you to define automations on your Drupal site.
The module doesn't sufficiently protect certain routes from CSRF attacks.
This vulnerability can be mitigated by disabling the "eca_ui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be available.
This module enables you to translate nodes, configuration, UI strings automatically.
The module doesn't sufficiently validate the incoming API response when using eTranslation integration, which has an asynchronous workflow. Specially crafted requests could overwrite entities and translations of entities with arbitrary content and create load on the system leading to a Denial of Service.
This module enables you to obfuscate email addresses, to avoid them being easily available to spammers.
The module doesn't sufficiently sanitise input when ROT13 encoding is used.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to enter specific HTML tag attributes. In a default Drupal installation this would require the administrator role and use of the Full HTML text format. It also requires that the ROT13 encoding be enabled in Obfuscate settings.
