This module enables integration between Next.js and Drupal for headless CMS functionality.
When installed, the module automatically enables cross-origin resource sharing (CORS) with insecure default settings (Access-Control-Allow-Origin: *), overriding any services.yml CORS configuration. This allows any origin to make cross-origin requests to the site without administrator knowledge or consent.
This vulnerability affects all installations as there are no configuration options to disable this behavior.
This module enables you to use the Tagify library to enhance text input fields with tag-style UI elements.
The module does not sufficiently sanitize the infoLabel value under certain configurations, which can result in a cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that only uncommon module configurations expose the affected infoLabel output, and an attacker must have user-level access to supply or manipulate this value.
This module enables you to apply time-based login restrictions and display related warning or logout confirmation pages.
The module doesn't sufficiently protect its confirmation routes from cross-site request forgery (CSRF), allowing the logout confirmation route to be triggered without user interaction.
This modules provides the ability to chat with an AI Agent using a large-language model (LLM) provider for different purposes.
The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting (XSS) vulnerability where an attacker can use prompt injections on user-generated content with the LLM as context.
The module provides instant integration of the official CKEditor 5 Premium plugins into the Drupal editor configuration.
This module has a path traversal vulnerability, which allows an access bypass to restricted image files in the system.
This access bypass is possible for any account with a View published content permission, but the risk is mitigated by the fact that only images can be opened.
This module allows uploading a zip file and extracting its content in the public file directory to serve this content from a Drupal website.
These zip files may contain arbitrary HTML or SVG content that could allow cross-site scripting vulnerabilities. While this is an expected feature, the module does not sufficiently restrict this functionality to trusted users with a "restricted access" permission. Users without a restricted permission should not be able to inject arbitrary JavaScript.
The core system module handles downloads of private and temporary files. Contrib modules can define additional kinds of files (schemes) that may also be handled by the system module.
In some cases, files may be served with the HTTP header Cache-Control: public when they should be uncacheable. This can lead to some users getting cached versions of files with information they should not be able to access. For example, files may be cached by Varnish or a CDN.
By generating and tricking a user into visiting a malicious URL, an attacker can perform site defacement.
The defacement is not stored and is only present when the URL has been crafted for that purpose. Only the defacement is present, so no other site content (such as branding) is rendered.
Drupal core contains a chain of methods that is exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.
Drupal Core has a rarely used feature, provided by an underlying library, which allows certain attributes of incoming HTTP requests to be overridden.
This functionality can be abused in a way that may cause Drupal to cache response data that it should not. This can lead to legitimate requests receiving inappropriate cached responses (cache poisoning).
