Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Entity Browser module allows you to select entities from entity reference fields using a custom entity browser widget.
Entity Browser does not properly check entity access in some circumstances. This may result in users with access to edit content seeing metadata about entities they are not authorized to access.
The vulnerability is mitigated by the fact that the inaccessible entities will only be visible to users who can already edit content using Entity Browser.
This module enables users to create 'private' vocabularies.
The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"
The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.
The module's default configuration could temporarily expose private files to anonymous visitors.
Important note: to fix the problem, database updates must be run in addition to updating the module.
This module enables you to create interactive content.
The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.
Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations.
In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only (secret)" visibility, community groups are visible to anonymous users on the /all-groups page. No other group information is revealed since group access is not affected by this issue.
This vulnerability is mitigated by creating a Flexible Group with visibility "Group members only (secret)".
The Social Base theme is designed as a base theme for Open Social. This base
theme holds has a lot of sensible defaults. It doesn't however contain much
styling. We expect developers to want to change this for their own project.
When content within the Open Social distribution is placed within a group then the Socialbase theme renders a link to that group on the content view page.
This module enables you to build searches using a wide range of features, data sources and backends.
The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.
This vulnerability is mitigated by the fact that only very specific setups will have this problem and there is no way for an attacker to trigger it.
This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.
The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.
This vulnerability is mitigated by the fact that these filters must be used in combination with either unpublished content or access control modules.
In addition to the news page and sub-tabs, all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.
In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.
Writing secure code
If you are a Drupal developer, please read the handbook section on Writing secure code.
Drupal Steward
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.