Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Consent Popup provides a configurable popup that requires acceptance of a question before the visitor can continue, typically used for age consent.
The module doesn't sufficiently sanitizes the text on the block leading to a cross site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create blocks.
The Iubenda Integration module provides a custom block to provide a link to the Iubenda privacy policy. On this block, a custom prefix and suffix text can be entered.
The module does not sufficiently filter the block text fields on output, resulting in a Cross-Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to use the layout builder on content, edit the layout, or with the "Administer blocks" permission.
The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox.
This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability leading to Information Disclosure. In uncommon configurations and scenarios, it might lead to Remote Code Execution.
S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service.
This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them.
This vulnerability is mitigated by the fact that another vulnerability must already exist outside of s3fs.
The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.
Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.
The Media Responsive Thumbnail module allows media reference fields to be rendered as a responsive image.
This module does not properly check entity access prior to rendering media. This may result in users seeing thumbnails of media items they do not have access to.
Drupal core provides a page that outputs the markup from phpinfo() to assist with diagnosing PHP configuration.
If an attacker was able to achieve an XSS exploit against a privileged user, they may be able to use the phpinfo page to access sensitive information that could be used to escalate the attack.
This vulnerability is mitigated by the fact that a successful XSS exploit is required in order to exploit it.
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.