Security advisories

Security advisories for third-party projects that are not part of Drupal core - this includes all modules, themes, and installation profiles that have been contributed by a community member. These posts by the Drupal security team are also sent to the security announcements e-mail list.

SA-CONTRIB-2012-151 - Commerce Extra Panes - Cross Site Request Forgery

Posted by Drupal Security Team on October 3, 2012 at 3:40pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-151
  • Project: Commerce extra panes (third-party module)
  • Version: 7.x
  • Date: 2012-October-3
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Request Forgery
Read more

SA-CONTRIB-2012-150 - Twitter Pull - Cross Site Scripting (XSS)

Posted by Drupal Security Team on October 3, 2012 at 3:20pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-150
  • Project: Twitter Pull (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-October-03
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Read more
Categories: ,

SA-CONTRIB-2012-149 - Hostip - Cross Site Scripting (XSS)

Posted by Drupal Security Team on October 3, 2012 at 3:10pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-149
  • Project: Hostip (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-October-03
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Read more
Categories: ,

SA-CONTRIB-2012-148 - OG - Access Bypass

Posted by Drupal Security Team on September 26, 2012 at 8:46pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-148
  • Project: Organic groups (third-party module)
  • Version: 7.x
  • Date: 2012-September-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Read more
Categories:

SA-CONTRIB-2012-147 - FileField Sources - Cross Site Scripting (XSS)

Posted by Drupal Security Team on September 19, 2012 at 5:12pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-147
  • Project: FileField Sources (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-September-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Read more
Categories: ,

SA-CONTRIB-2012-146 - Simplenews Scheduler - Arbitrary code execution

Posted by Drupal Security Team on September 19, 2012 at 4:52pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-146
  • Project: Simplenews Scheduler (third-party module)
  • Version: 6.x
  • Date: 2012-September-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Arbitrary PHP code execution
Read more
Categories:

SA-CONTRIB-2012-145 - Imagemenu - Cross Site Scripting (XSS)

Posted by Drupal Security Team on September 19, 2012 at 4:37pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-145
  • Project: Imagemenu (third-party module)
  • Version: 6.x
  • Date: 2012-September-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Read more
Categories:

SA-CONTRIB-2012-144 Fonecta verify - Cross Site Scripting (XSS)

Posted by Drupal Security Team on September 19, 2012 at 4:37pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-144
  • Project: Fonecta verify (third-party module)
  • Version: 7.x
  • Date: 2012-September-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Read more
Categories:

SA-CONTRIB-2012-143 PRH Search - Cross Site Scripting (XSS)

Posted by Drupal Security Team on September 19, 2012 at 4:34pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-143
  • Project: PRH Search (third-party module)
  • Version: 7.x
  • Date: 2012-September-19
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Read more
Categories:

SA-CONTRIB-2012-142 - Spambot - Cross Site Scripting (XSS)

Posted by Drupal Security Team on September 19, 2012 at 4:17pm
  • Advisory ID: DRUPAL-SA-CONTRIB-2012-142
  • Project: Spambot (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-September-19
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Read more
Categories: ,
Subscribe with RSS Syndicate content

Security announcements

In addition to the news page and sub-tabs, all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

You can also get rss feeds for core, contrib, or public service announcements or follow @drupalsecurity on Twitter.

Contacting the Security team

In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.

Security books

There are many useful books about Drupal. Here are two that discuss security:

Advertising helps build a successful ecosystem around Drupal.