Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
No filtering done for node title and no parameters assignment used. As a result sql injection is possible through adding node with title containing single quote character. Patch to fix this issue attached.
Comment | File | Size | Author |
---|---|---|---|
0001-Fix-SQL-injection-issue-through-node-title.patch | 1.36 KB | pavel.karoukin |
Comments
Comment #1
deekayen CreditAttribution: deekayen commentedcommitted
Comment #2
jordojuice CreditAttribution: jordojuice commentedAhh just saw this in my email. Thanks for catching this and reporting it. It seems like the security team has been doing some good work judging by all the security fixes in my email.