Security advisories

These posts by the Drupal security team are also sent to the security announcements e-mail list.

DRUPAL-SA-2006-004 Mail header injection vulnerability

Posted by jvandyk on March 13, 2006 at 9:04pm
  • Advisory ID: DRUPAL-SA-2006-004
  • Project: Drupal core
  • Date: 2006-03-13
  • Security risk: moderately critical
  • Impact: security bypass
  • Where: from remote
  • Vulnerability: mail header injection attack
Read more
Categories: ,

DRUPAL-SA-2006-003 Session fixation vulnerability

Posted by jvandyk on March 13, 2006 at 9:00pm
  • Advisory ID: DRUPAL-SA-2006-003
  • Project: Drupal core
  • Date: 2006-03-13
  • Security risk: less critical
  • Impact: hijacking
  • Where: from remote
  • Vulnerability: session fixation attack
Read more
Categories: ,

DRUPAL-SA-2006-002 XSS vulnerabilities

Posted by jvandyk on March 13, 2006 at 8:45pm
  • Advisory ID: DRUPAL-SA-2006-002
  • Project: Drupal core
  • Date: 2006-03-13
  • Security risk: less critical
  • Impact: cross-site scripting
  • Where: from remote
  • Vulnerability: cross-site scripting
Read more
Categories: ,

DRUPAL-SA-2006-001 Security bypass in menu.module

Posted by jvandyk on March 13, 2006 at 8:21pm
  • Advisory ID: DRUPAL-SA-2006-001
  • Project: Drupal core
  • Date: 2006-03-13
  • Security risk: less critical
  • Impact: security bypass
  • Where: from remote
  • Vulnerability: bypass access control
Read more
Categories: ,

DRUPAL-SA-2005-008 XSS and HTTP header injection vulnerability with uploaded files

Posted by Dries on November 30, 2005 at 9:45pm
  • Advisory ID: DRUPAL-SA-2005-008
  • Project: Drupal core
  • Date: 2005-11-30
  • Security risk: less critical
  • Impact: normal
  • Where: from remote
  • Vulnerability: XSS, HTTP header injection
Read more
Categories: ,

DRUPAL-SA-2005-007 XSS vulnerability in submitted content

Posted by Dries on November 30, 2005 at 9:45pm
  • Advisory ID: DRUPAL-SA-2005-007
  • Project: Drupal core
  • Date: 2005-11-30
  • Security risk: less critical
  • Impact: normal
  • Where: from remote
  • Vulnerability: XSS
Read more
Categories: ,

DRUPAL-SA-2005-009 Bypass "view user profiles" permission

Posted by Dries on November 30, 2005 at 9:45pm
  • Advisory ID: DRUPAL-SA-2005-009
  • Project: Drupal core
  • Date: 2005-11-30
  • Security risk: not critical
  • Impact: normal
  • Where: from remote
  • Vulnerability: bypass access control
Read more
Categories:
Subscribe with RSS Syndicate content

Security announcements

In addition to the news page and sub-tabs, all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

You can also get rss feeds for core, contrib, or public service announcements or follow @drupalsecurity on Twitter.

Contacting the Security team

In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.

Writing secure code

If you are a Drupal developer, please read the handbook section on Writing secure code.

Security books

There are many useful books about Drupal. Here are two that discuss security:

Advertising helps build a successful ecosystem around Drupal.
nobody click here