Bã¡Lint Klã©Ri

**Name of the Vulnerable Software and Affected Versions** Drupal Canvas versions prior to 1.1.1 **Description** A Server-Side Request Forgery (SSRF) issue exists in the Drupal Canvas module. The vulnerability is exposed when the hidden `canvas ai` submodule is enabled, typically through Drupal Recipes or deployment scripts. The module does not adequately sanitize user-supplied data within the messages JSON payload via crafted API requests. An attacker must possess a role with the "use Drupal Canvas AI" permission to exploit this issue. **Recommendations** Update to Drupal Canvas version 1.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal Canvas versions prior to 1.0.4 **Description** The Drupal Canvas module has an authorization issue that allows forceful browsing of Canvas Pages when they are unpublished. The module does not adequately validate access to Canvas Pages, potentially allowing unauthorized access. This is mitigated by the fact that content moderation is not enabled by default and archiving is not a feature of the module. **Recommendations** Update to Drupal Canvas version 1.0.4 or later.