Addresses XSS and CSRF vulnerabilities. For more information see SA-CONTRIB-2015-014 - Wishlist - Multiple vulnerabilities
Security: fixed a cross-site-scripting vulnerability for users with "administer homebox" permission.
See SA-CONTRIB-2015-002 - Course - Cross Site Scripting (XSS)
There are no other changes in this release.
SA-CONTRIB-2015-013 - Field Display Label - Cross Site Scripting (XSS).
See SA-CONTRIB-2015-011 - Todo Filter - Cross Site Request Forgery (CSRF)
Also includes earlier fix:#803224: Checking an item off the list doesn't make it permanent
In addition to the news page and sub-tabs, all security announcements are posted to an email list. To subscribe to email: log in, go to your user profile page and subscribe to the security newsletter on the Edit » My newsletters tab.
You can also get rss feeds for core, contrib, or public service announcements or follow @drupalsecurity on Twitter.
In order to report a security issue, or to learn more about the security team, please see the Security team handbook page.
If you are a Drupal developer, please read the handbook section on Writing secure code.
Drupal is a registered trademark of Dries Buytaert.