Security advisories

Updated 2023-07-14 to reference PSA-2023-07-12.

Drupal 7's end of life is January 5, 2025

On February 23, 2022, we announced that we would be extending the End-of-Life for Drupal 7 until at least November 1, 2023.

Today, we are officially announcing that Drupal 7 will reach its end of life on January 5, 2025.

With this final extension, the Drupal Security Team is also adjusting the level of support provided.

This will be the final extension.

This module provides social media share & follow buttons.

The module doesn't sufficiently check access to a node when retrieving the label of an AddToAny block.

This vulnerability is mitigated by the fact it requires the node ID to be passed via the route, requiring another module or specific configuration to provide this ID, as the /node/{id} page doesn't provide this value on an access denied.

The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered.

The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to use the layout builder on content, edit the layout, or with the "Administer blocks" permission.

S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service.

This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them.

This vulnerability is mitigated by the fact that another vulnerability must already exist outside of s3fs.