• Advisory ID: DRUPAL-SA-CONTRIB-2017-38
  • Project: References (third-party module)
  • Date: 12-Apr-2017


2017-04-18 -- This issue has been resolved with the release of references 7.x-2.2

2017-04-14 - A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated.

The specific details of the original vulnerability cannot be shared. While we also cannot promise a specific date for a fix, the Drupal Security team will work with the potential new maintainer to get this issue resolved as soon as possible.


Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.

This project provides D7 versions of the 'node_reference' and 'user_reference' field types, that were part of the CCK package in D6, at functional parity with the D6 counterparts.

The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466

Versions affected

  • All versions

Drupal core is not affected. If you do not use the contributed References module, there is nothing you need to do.


If you use the References module for Drupal you should uninstall it.

Also see the References project page.

Notably, if you started with References and need to maintain equivalent functionality, we recommend reviewing the feature set of Entity Reference. If Entity Reference can work for you, there is a Reference to EntityReference Field Migration module that can assist in the transition.

Reported by

Fixed by

Not applicable

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity