Heine

**Name of the Vulnerable Software and Affected Versions** Drupal Entity Delete Log versions 0.0.0 through 1.1.1 **Description** The issue is related to a lack of authorization in the Drupal Entity Delete Log, which allows for forceful browsing. This can enable a remote attacker to bypass security restrictions and perform a forceful browsing attack. **Recommendations** For versions 0.0.0 through 1.1.1, update to a version that includes the fix for this issue to prevent forceful browsing attacks. As a temporary workaround, consider restricting access to the Entity Delete Log module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Two-factor Authentication (TFA) versions 0.0.0 through 1.5.0 **Description** The issue is related to a weak authentication vulnerability in the Two-factor Authentication (TFA) module for Drupal, which can be exploited to abuse authentication. This vulnerability is associated with weaknesses in the authentication procedure, allowing a remote attacker to bypass security restrictions. **Recommendations** For versions 0.0.0 through 1.5.0, update to a version that includes a fix for this issue to prevent authentication abuse. As a temporary workaround, consider restricting access to the Two-factor Authentication (TFA) module until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Drupal versions prior to the fixed version **Description** The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. **Recommendations** For versions prior to the fixed version, update to a version that includes the fix for the Media oEmbed iframe route vulnerability. As a temporary workaround, consider restricting access to the Media oEmbed iframe route to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Drupal Live module versions prior to 5.x-0.1 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of privileged users, potentially leading to the execution of arbitrary PHP code. **Recommendations** For versions prior to 5.x-0.1, update to version 5.x-0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Aggregation module versions prior to 5.x-4.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. **Recommendations** For versions prior to 5.x-4.4, update to version 5.x-4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Aggregation module versions prior to 5.x-4.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For versions prior to 5.x-4.4, update to version 5.x-4.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Drupal Comment Upload module versions 4.7.x through 4.7.x-0.1 Drupal Comment Upload module versions 5.x through 5.x-0.1 **Description** The issue allows remote attackers to bypass upload validation and upload arbitrary files, possibly executing arbitrary code via unspecified vectors. This is due to the improper use of functions in the upload module. **Recommendations** For versions 4.7.x through 4.7.x-0.1, update to version 4.7.x-0.1 or later to resolve the issue. For versions 5.x through 5.x-0.1, update to version 5.x-0.1 or later to resolve the issue.