This module enables you to conditionally display blocks in particular theme regions.

The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks".

Updated 2022-07-20 19:45 UTC to indicate that this only affects Apache web servers.

Drupal core sanitizes filenames with dangerous extensions upon upload (reference: SA-CORE-2020-012) and strips leading and trailing dots from filenames to prevent uploading server configuration files (reference: SA-CORE-2019-010).

In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.

Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.

This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.

The module doesn't sufficiently check access for the edit and delete operations. Users with "access content" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.