Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Migrate Tools module provides tools for running and managing Drupal migrations.
The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to trick an authenticated administrator into initiating a migration.
This vulnerability is mitigated by the fact that an attacker must know the name of the migration.
The Drupal Swift Mailer module extends the basic e-mail sending functionality provided by Drupal by delegating all e-mail handling to the Swift Mailer library. This enables your site to take advantage of the many features which the Swift Mailer library provides.
The module could allow an attacker to gain widespread access to a Drupal site. This vulnerability is mitigated by the fact that an attacker must have a means to trigger sending an email with a body that they can control, which would requires either another contributed module or custom integration.
Open Social is a Drupal distribution for online communities.
The included optional social_group_flexible_group module doesn't sufficiently validate group updates. The lack of validation makes it possible to have content inside the group changing it's visibility, which could lead to that content being shown to a broader audience than intended.
This vulnerability is mitigated by the fact the module social_group_flexible_group needs to be enabled.
Content within Open Social can have different visibilities. It is possible for a user to create public content even when this should not be allowed.
This vulnerability is mitigated by the fact that the site must have public visibility disabled on a global level.
This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.
In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled.
This vulnerability is mitigated by the fact that an attacker must obtain a valid first-factor login credential, that an administrator must enable and then disable an authentication plugin, and that an attacker must obtain the valid second factor credential for the disabled plugin.
The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).
Sites that do not use the Comment module are not affected.
File entity provides interfaces for managing files. It also extends the core file entity, allowing files to be fieldable, grouped into types, viewed (using display modes) and formatted using field formatters.
The module previously did not sufficiently validate files under the scenario of a file replacement leading to multiple exploit paths including persistent Cross Site Scripting.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit files.
This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity.
This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries.
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.