The Drupal project uses the third-party library Archive_Tar, which has released a security improvement that is needed to protect some Drupal configurations.
Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them.
Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.
Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.
After this fix, file_save_upload() now trims leading and trailing dots from filenames.
This module enables you to create forms to collect information from users and report, analyze and distribute it by email.
The 7.x-3.x module doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can inject JavaScript into a page.
This module extends access handling of Drupal Core's Taxonomy module.
The module doesn't sufficiently check,
if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms.
if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes.
The Smart Trim module allows site builders additional control with text summary fields.
The module doesn't sufficiently filter text when certain options are selected.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when certain options are selected for the trimmed output.