Security-related announcements, such as information on best practices. These posts by the Drupal security team are also sent to the security announcements e-mail list.

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.

DRUPAL-PSA-2014-002 - Drupal core - Information disclosure

  • Advisory ID: DRUPAL-PSA-2014-002
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-May-21
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure

DRUPAL-PSA-2014-001 - Media - Access Bypass

  • Advisory ID: PSA-2014-001
  • Project: Media (third-party module)
  • Version: 7.x
  • Date: 2014-01-08
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass

PSA-2013-002: Direct download links available even during Drupal.org upgrade window

This is a short addition to the security announcements released on October 30th.

Due to Drupal.org's scheduled downtime on October 31, not all links in those mails may be available when you need them.

If you encounter this situation, please use the following direct URLs to the archives containing the updates.

PSA-2013-001: Drupal core - Users can insert hidden text and links

  • Advisory ID: PSA-2013-001
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2013-September-04
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure

DRUPAL-PSA-2012-001 - localizations - Cross Site Scripting

  • Advisory ID: DRUPAL-PSA-2012-001
  • Version: 6.x, 7.x
  • Date: 2012-March-07
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Pages

Subscribe with RSS Subscribe to RSS - Security public service announcements