Drupal 6.x

Hi,

We use Open Atrium 1.08 on our Drupal 6 intranet.

One problem I noticed in the Staff Directory page is that the "Section" drop down list that is being displayed is selecting the distinct sections from all employees. This is not a problem, but after doing some testing I discovered that it also includes previous employees that have had their account suspended. The problem it creates is that if a previous employee belonged to a section that no longer exists, it still shows up in the list and creates confusion for other users.

• Advisory ID: DRUPAL-SA-CONTRIB-2015-021
• Project: Content Analysis (third-party module)
• Version: 6.x
• Date: 2015-January-14
• Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
• Vulnerability: Cross Site Scripting

On our website, there are a few pages which we are not able to view the PDF version of the page. It appears that the reason has to do with a setting that does not allow developers to have externally linked photos to show up in a PDF format.

For example, on one page we have an image that is an external photo, but when I click the PDF Version link I get the following error:

• Advisory ID: DRUPAL-SA-CONTRIB-2015-020
• Project: Contact form fields (third-party module)
• Version: 6.x
• Date: 2015-January-14
• Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
• Vulnerability: Cross Site Request Forgery

• Advisory ID: DRUPAL-SA-CONTRIB-2015-019
• Project: Ubercart Currency Conversion (third-party module)
• Version: 6.x
• Date: 2015-January-14
• Security risk: 10/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:All
• Vulnerability: Open Redirect

• Advisory ID: DRUPAL-SA-CONTRIB-2015-014
• Project: Wishlist Module (third-party module)
• Version: 6.x, 7.x
• Date: 2015-January-14
• Security risk: 16/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
• Vulnerability: Cross Site Scripting, Cross Site Request Forgery