Show advisories for only contributed projects, only PSAs, or all security advisories

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004

Date: 
2018-April-25
Security risk: 
Highly critical 20∕25 AC:Basic/A:User/CI:All/II:All/E:Exploit/TD:Default
CVE IDs: 
CVE-2018-7602

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Updated — this vulnerability is being exploited in the wild.

Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003

Date: 
2018-April-18
Security risk: 
Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
CVE IDs: 
CVE-2018-9861

CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).

We would like to thank the CKEditor team for patching the vulnerability and coordinating the fix and release process, and matching the Drupal core security window.

Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

Date: 
2018-March-28
Security risk: 
Highly critical 24∕25 AC:None/A:None/CI:All/II:All/E:Exploit/TD:Default
CVE IDs: 
CVE-2018-7600

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.

The security team has written an FAQ about this issue.

Edited 2020, February 13 to fix links to patch files.

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

Date: 
2018-February-21
Security risk: 
Critical 16∕25 AC:Basic/A:User/CI:Some/II:Some/E:Exploit/TD:Default

This security advisory fixes multiple vulnerabilities in both Drupal 7 and Drupal 8. See below for a list.

Comment reply form allows access to restricted content - Critical - Drupal 8 - CVE-2017-6926

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004

By Drupal Security Team on

Drupal 8.3.7 is a maintenance release which contain fixes for security vulnerabilities.

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-003

By Drupal Security Team on

Drupal 8.3.4 and Drupal 7.56 are maintenance releases which contain fixes for security vulnerabilities.

Categories: Drupal 7.x, Drupal 8.x

Drupal Core - Critical - Access Bypass - SA-CORE-2017-002

By Drupal Security Team on

Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-001

By Drupal Security Team on

Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2016-005

By Drupal Security Team on
Categories: Drupal 7.x, Drupal 8.x

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004

By Drupal Security Team on
Categories: Drupal 8.x

Pages

Subscribe with RSS Subscribe to Security advisories