Contacting the Security team
In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.
Security advisories
These posts by the Drupal security team are also sent to the security announcements e-mail list.
SA-CORE-2009-008 - Drupal core - Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2009-008
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2009-September-16
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2009-007
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2009-July-1
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
SA-CORE-2009-006 - Drupal core - Cross site scripting
- Advisory ID: DRUPAL-SA-CORE-2009-006
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2009-May-13
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
SA-CORE-2009-005 - Drupal core - Cross site scripting
- Advisory ID: DRUPAL-SA-CORE-2009-005
- Project: Drupal core
- Version: 5.x, 6.x
- Date: 2009-April-29
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
New pages and RSS feeds for security announcements
Separate Security Announcements by Type
To make the impact of different security advisories and announcements easier to see, they are now separated by type.
Drupal core security advisories: http://drupal.org/security
RSS feed for Drupal core: http://drupal.org/security/rss.xml
Contributed project security advisories: http://drupal.org/security/contrib
RSS feed for contributed projects: http://drupal.org/security/contrib/rss.xml
Public service announcements: http://drupal.org/security/psa
RSS feed for announcements: http://drupal.org/security/psa/rss.xml
We encourage those using RSS readers to track security-related developments to subscribe to all three of these feeds.
All posts to each of these three forums will still be sent to the one security announcements e-mail list. To subscribe to that e-mail list, once logged in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.
All future public service announcements will only be posted to the Public service announcements page and feed.
SA-CORE-2009-004 - Local file inclusion on Windows
- Advisory ID: DRUPAL-SA-CORE-2009-004
- Project: Drupal core
- Versions: 5.x
- Date: 2009-February-25
- Security risk: Highly Critical
- Exploitable from: Remote
- Vulnerability: Local file inclusion on Windows
- Reference: SA-CORE-2009-003 (6.x)
SA-CORE-2009-003 - Local file inclusion on Windows
- Advisory ID: DRUPAL-SA-CORE-2009-003
- Project: Drupal core
- Versions: 6.x
- Date: 2009-February-25
- Security risk: Highly Critical
- Exploitable from: Remote
- Vulnerability: Local file inclusion on Windows
SA-CORE-2009-001 Drupal core - Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2009-001
- Project: Drupal core
- Versions: 5.x and 6.x
- Date: 2009-January-14
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
SA-2008-073 - Drupal core - Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-2008-073
- Project: Drupal core
- Versions: 5.x and 6.x
- Date: 2008-December-10
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
SA-2008-067 - Drupal core - Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-2008-067
- Project: Drupal core
- Versions: 5.x and 6.x
- Date: 2008-October-22
- Security risk: Less Critical
- Exploitable from: Local/Remote
- Vulnerability: Multiple vulnerabilities
