Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Rest views module lets site admins create rest exports in views with additional options for serializing data.
This module does not accurately check access and may expose paths to unpublished content.
This vulnerability is mitigated by the fact that there must be a specific content structure to expose.
Paths to unpublished entities (such as nodes) will be exposed if those entities are referenced from other entities listed in a REST display, and the reference field on those listed entities is displayed with the "Entity path" formatter.
Progressive web applications are web applications that load like regular web pages or websites but can offer the user functionality such as working offline, push notifications, and device hardware access traditionally available only to native applications.
This module doesn't sufficiently protect access to the settings form, allowing an unauthorized malicious user to view and modify the module settings.
This module enables sites to comply with the European cookie law using tarteaucitron.js.
The module doesn't sufficiently filter user-supplied markup inside of content leading to a persistent Cross Site Scripting (XSS) vulnerability. More details are available in CVE-2023-3620.
This vulnerability is mitigated by the fact that an attacker needs to be able to write content in the page, a feature commonly available on Drupal sites.
The Registration role module lets an administrator select a role (or multiple roles) to automatically assign to new users. The selected role (or roles) will be assigned to new registrants.
The module has a logic error when handling sites that upgraded code and did not run the Drupal update process (e.g. update.php).
This vulnerability is mitigated by the fact that the problem does not exist on sites that followed the process of updating code and running the standard updates.
This module gives each node a 'private' checkbox. If it's set, the node can only be seen by the node author, or users with the 'access private content' permission.
The module incorrectly grants access to private nodes under certain specific circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Access private content".
The CKEditor 4 LTS - WYSIWYG HTML editor module uses the CKEditor library for WYSIWYG editing. CKEditor has released a security update that on certain configurations may impact the Drupal module that bundles and integrates this code.
The vulnerability is mitigated by the fact it requires:
In addition to the news page and sub-tabs, all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.
In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.
Writing secure code
If you are a Drupal developer, please read the handbook section on Writing secure code.
Drupal Steward
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.