Show advisories for only Drupal Core, only contributed projects, or only PSAs

SA-CONTRIB-2009-010 Plus 1 - Cross-site request forgery

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-010
  • Project: Plus 1 (third-party module)
  • Version: 6.x
  • Date: 2009 March 18
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site request forgery (CSRF)
Categories: Drupal 6.x

New pages and RSS feeds for security announcements

By pwolanin on

Separate Security Announcements by Type

To make the impact of different security advisories and announcements easier to see, they are now separated by type.

Drupal core security advisories: http://drupal.org/security
RSS feed for Drupal core: http://drupal.org/security/rss.xml

Contributed project security advisories: http://drupal.org/security/contrib
RSS feed for contributed projects: http://drupal.org/security/contrib/rss.xml

Public service announcements: http://drupal.org/security/psa
RSS feed for announcements: http://drupal.org/security/psa/rss.xml

We encourage those using RSS readers to track security-related developments to subscribe to all three of these feeds.

All posts to each of these three forums will still be sent to the one security announcements e-mail list. To subscribe to that e-mail list, once logged in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.

All future public service announcements will only be posted to the Public service announcements page and feed.

SA-CONTRIB-2009-009 Forward module can be used as a spam relay

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-009
  • Project: Forward
  • Versions: 5.x, 6.x
  • Date: 2009-March-11
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Unrestricted e-mailing (spam)
Categories: Drupal 5.x, Drupal 6.x

SA-CONTRIB-2009-008 - Taxonomy Theme - Cross site scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-008
  • Project: Taxonomy Theme (third-party module)
  • Version: 5.x
  • Date: 2009 February 28
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site scripting (XSS)

SA-CORE-2009-004 - Local file inclusion on Windows

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CORE-2009-004
  • Project: Drupal core
  • Versions: 5.x
  • Date: 2009-February-25
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Local file inclusion on Windows
  • Reference: SA-CORE-2009-003 (6.x)
Categories: Drupal 5.x

SA-CORE-2009-003 - Local file inclusion on Windows

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CORE-2009-003
  • Project: Drupal core
  • Versions: 6.x
  • Date: 2009-February-25
  • Security risk: Highly Critical
  • Exploitable from: Remote
  • Vulnerability: Local file inclusion on Windows
Categories: Drupal 6.x

SA-CONTRIB-2009-007 - Advertisement Cross-site scripting

By greggles on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-007
  • Project: Advertisement module (third-party module)
  • Versions: 5.x, 6.x
  • Date: 2009 February 11
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site scripting (XSS)

SA-CONTRIB-2009-006 - Troll - Cross site request forgeries

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-006
  • Project: Troll (third-party module)
  • Version: 5.x
  • Date: 2009 February 11
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site request forgeries (CSRF)

Drupal core - Administer content types permission - PSA-2009-001

Date: 
2009-February-11
  • Project: Drupal core
  • Versions: 5.x and 6.x
  • Security risk: None

Description

This is a public service announcement regarding the "administer content types" permission. The rise of the Content Construction Kit (CCK) and a legion of powerful CCK field modules have considerably extended the abilities of a user with this permission, with much of a site's behaviour now being configurable via the content types administration pages.

SA-CONTRIB-2009-005 - Views bulk operations - Cross site scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-005
  • Project: Views bulk operations (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009 February 04
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site scripting (XSS)

Pages

Subscribe with RSS Subscribe to Security advisories