Security-related announcements, such as information on best practices. These posts by the Drupal security team are also sent to the security announcements e-mail list.

Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003

This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system.

Drupal 8.x core release on Monday -- PSA-2016-002

  • Advisory ID: DRUPAL-PSA-2016-002
  • Project: Drupal
  • Version: 8.x
  • Date: 2016-July-17
  • Security risk: TBD
  • Vulnerability: TBD

Drupal contrib - Highly Critical - Remote code execution PSA-2016-001

Drupal core - Critical - Remote installation PSA-2015-001

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.

DRUPAL-PSA-2014-002 - Drupal core - Information disclosure

  • Advisory ID: DRUPAL-PSA-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-May-21
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure

DRUPAL-PSA-2014-001 - Media - Access Bypass

  • Advisory ID: PSA-2014-001
  • Project: Media (third-party module)
  • Version: 7.x
  • Date: 2014-01-08
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass

PSA-2013-002: Direct download links available even during Drupal.org upgrade window

This is a short addition to the security announcements released on October 30th.

Due to Drupal.org's scheduled downtime on October 31, not all links in those mails may be available when you need them.

If you encounter this situation, please use the following direct URLs to the archives containing the updates.

PSA-2013-001: Drupal core - Users can insert hidden text and links

  • Advisory ID: PSA-2013-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2013-September-04
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure

DRUPAL-PSA-2012-001 - localizations - Cross Site Scripting

  • Advisory ID: DRUPAL-PSA-2012-001
  • Version: 6.x, 7.x
  • Date: 2012-March-07
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Pages

Subscribe with RSS Subscribe to Security public service announcements