Security-related announcements, such as information on best practices. These posts by the Drupal security team are also sent to the security announcements e-mail list.
This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system.
This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.
Drupal is a registered trademark of Dries Buytaert.