Security-related announcements, such as information on best practices. These posts by the Drupal security team are also sent to the security announcements e-mail list.

Update on Views Ajax vulnerability for Drupal 7 Views and Drupal 8 core. -- PSA-2017-002

  • Advisory ID: DRUPAL-PSA-2017-002
  • Project: Drupal contributed modules
  • Version: 7.x, 8.x
  • Date: 2017-Aug-16

Drupal 8 core upcoming critical release PSA-2017-001

  • Advisory ID: DRUPAL-PSA-2017-001
  • Project: Drupal core
  • Version: 8.x
  • Date: 2017-Apr-17

PHPmailer 3rd party library -- DRUPAL-SA-PSA-2016-004

Drupal file upload by anonymous or untrusted users into public file systems -- PSA-2016-003

This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system.

Drupal 8.x core release on Monday -- PSA-2016-002

  • Advisory ID: DRUPAL-PSA-2016-002
  • Project: Drupal
  • Version: 8.x
  • Date: 2016-July-17
  • Security risk: TBD
  • Vulnerability: TBD

Drupal contrib - Highly Critical - Remote code execution PSA-2016-001

Drupal core - Critical - Remote installation PSA-2015-001

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.

DRUPAL-PSA-2014-002 - Drupal core - Information disclosure

  • Advisory ID: DRUPAL-PSA-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-May-21
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure

DRUPAL-PSA-2014-001 - Media - Access Bypass

  • Advisory ID: PSA-2014-001
  • Project: Media (third-party module)
  • Version: 7.x
  • Date: 2014-01-08
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass


Subscribe with RSS Subscribe to Security public service announcements