Security advisories

Security-related announcements, such as information on best practices. These posts by the Drupal security team are also sent to the security announcements e-mail list.

DRUPAL-PSA-2012-001 - localizations - Cross Site Scripting

Posted by Drupal Security Team on March 7, 2012 at 4:08pm
  • Advisory ID: DRUPAL-PSA-2012-001
  • Version: 6.x, 7.x
  • Date: 2012-March-07
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Read more
Categories: ,

PSA-2012-001 - Hash DOS attack prevention with Suhosin needs a .htaccess edit

Posted by Drupal Security Team on January 11, 2012 at 9:37pm
  • Advisory ID: DRUPAL-PSA-2012-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2012-01-11
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service
Read more
Categories: ,

PSA-2011-002 - External libraries and plugins

Posted by Drupal Security Team on June 15, 2011 at 7:21pm
  • Advisory ID: PSA-2011-002
  • Date: 2011-June-15
  • Project: External libraries and plugins
Read more

PSA-2011-001 - "Drupal security update" social engineering

Posted by Drupal Security Team on February 17, 2011 at 10:25pm
  • Advisory ID: PSA-2011-001
  • Project: Drupal core and contrib
  • Versions: All versions
  • Date: 2011-February-17
  • Security risk: Not critical
Read more

PSA-2010-002 - Views - Administer views permission

Posted by Drupal Security Team on June 16, 2010 at 10:29pm
  • Advisory ID: PSA-2010-002
  • Project: Views (third-party module)
  • Versions: 5.x, 6.x
  • Date: 2010-June-16
  • Security risk: Not critical
Read more

PSA-2010-001: Policy on release versions and permissions

Posted by Drupal Security Team on May 13, 2010 at 9:24pm
  • Advisory ID: PSA-2010-001
  • Project: Drupal core and contrib
  • Versions: 5.x and 6.x and above
  • Date: 2010-May-13
  • Security risk: None
Read more
Categories: , ,

SA-CORE-2009-002 Drupal core - Administer content types permission

Posted by Drupal Security Team on February 11, 2009 at 5:27pm
  • Advisory ID: DRUPAL-SA-CORE-2009-002
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Date: 2009-February-11
  • Security risk: None
Read more

SA-2007-023 - Public service announcement: PHP exploit using Drupal circulating

Posted by Heine on October 17, 2007 at 6:29pm
  • Advisory ID: SA-2007-023
  • Project: PHP
  • Version: PHP 4 < 4.4.3, PHP 5 < 5.1.4
  • Date: 2007-October-17
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: unset() hash / index collision exploit using Drupal (CVE-2006-3017)
Read more

False Drupal XSS alarm on BugTraq

Posted by chx on January 4, 2006 at 4:15pm

Someone under the pseudonym "Liz0ziM" sent a false security alarm to BugTraq without first contacting the security team:

http://www.securityfocus.com/archive/1/420671/30/0/threaded

This vulnerability is fixed in Drupal 4.5.6, 4.6.4 and onwards. Drupal's new XSS filter mechanism takes care of all vulnerabilities listed on http://ha.ckers.org/xss.html (and even more).

If you have already updated to at least 4.5.6 / 4.6.4 then you are safe and you do not need to take any action. If you have not updated yet, then we advise you again to do so ASAP.

Subscribe with RSS Syndicate content

Security announcements

In addition to the news page and sub-tabs, all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

You can also get rss feeds for core, contrib, or public service announcements or follow @drupalsecurity on Twitter.

Contacting the Security team

In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.

Security books

There are many useful books about Drupal. Here are two that discuss security:

Advertising helps build a successful ecosystem around Drupal.