
Security Alerts
This list is for security announcements sent out be the Drupal security team.
Updated: 28 weeks 5 days ago
SA-2008-016 - OpenID - Incorrect claimed_id returned for OpenID 2.0
- Advisory ID: DRUPAL-SA-2008-016
- Project: OpenID (third-party module)
- Version: 5.x-1.0
- Date: 2007-January-30
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Identity impersonation
SA-2008-015 - Comment Upload - Arbitrary file upload
- Advisory ID: DRUPAL-SA-2008-015
- Project: Comment upload (third-party module)
- Version: 4.7.x, 5.x
- Date: 2007-January-30
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Arbitrary file upload
SA-2008-014 - Userpoints - Cross site request forgery
- Advisory ID: DRUPAL-SA-2008-014
- Project: Userpoints (third-party module)
- Version: 4.7.x, 5.x-2.x, 5.x-3.x
- Date: 2008-January-30
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Cross site request forgery
SA-2008-013 - Project issue tracking - Arbitrary file upload
- Advisory ID: DRUPAL-SA-2008-013
- Project: Project issue tracking (third-party module)
- Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x
- Date: 2007-January-30
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Arbitrary file upload
SA-2008-012 - Project issue tracking - XSS vulnerability in comment summary tables
- Advisory ID: DRUPAL-SA-2008-012
- Project: Project issue tracking (third-party module)
- Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x
- Date: 2007-January-30
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross-site scripting (XSS)
SA-2008-011 - Securesite - Access bypass
- Advisory ID: DRUPAL-SA-2008-011
- Project: Secure Site (third-party module)
- Version: 5.x-1.0, 4.7.x-1.0
- Date: 2008-January-30
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
SA-2008-10 - Archive - Cross site scripting
- Advisory ID: DRUPAL-SA-2008-010
- Project: Archive (third-party module)
- Version: 5.x
- Date: 2008-January-23
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
SA-2008-009 - Workflow - Cross site scripting
- Advisory ID: DRUPAL-SA-2008-009
- Project: Workflow (third-party module)
- Version: 4.7.x, 5.x
- Date: 2008-January-23
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
SA-2008-008 - Meta tags - Arbitrary code execution
- Advisory ID: DRUPAL-SA-2008-008
- Project: Meta tags / Nodewords (third-party module)
- Version: 5.x-1.6
- Date: 2007-January-14
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Arbitrary code execution
SA-2008-007 - Drupal core - Cross site scripting (register_globals)
- Advisory ID: DRUPAL-SA-2008-007
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2008-January-10
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting when register_globals is enabled.
SA-2007-033 - Feature - CSRF
- Advisory ID: DRUPAL-SA-2007-033
- Project: Feature module (third-party module)
- Version: 4.7.x, 5.x
- Date: 2007-December-05
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Cross site request forgery
SA-2007-032 - Shoutbox - Cross site scripting
- Advisory ID: DRUPAL-SA-2007-032
- Project: Shoutbox (third-party module)
- Version: 5.x
- Date: 2007-December-05
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled
- Advisory ID: DRUPAL-SA-2007-031
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2007-December-05
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: SQL Injection
SA-2007-030 - Drupal Core - API handling of unpublished comment.
- Advisory ID: DRUPAL-SA-2007-030
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Access bypass
SA-2007-029 - Drupal core - User deletion cross site request forgery
- Advisory ID: DRUPAL-SA-2007-029
- Project: Drupal core
- Version: 5.x
- Date: 2007-October-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site request forgery
SA-2007-027 - Token - Cross site scripting
- Advisory ID: DRUPAL-SA-2007-027
- Project: Several Modules That Use Token module
- Version: 5.x
- Date: 2007-October-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
SA-2007-028 - Weblinks - Cross site scripting
- Advisory ID: DRUPAL-SA-2007-028
- Project: Weblinks (third-party module)
- Version: 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
SA-2007-026 - Drupal Core - Cross site scripting via uploads
- Advisory ID: DRUPAL-SA-2007-026
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross site scripting
SA-2007-025 - Drupal core - Arbitrary code execution via installer.
- Advisory ID: DRUPAL-SA-2007-025
- Project: Drupal core
- Version: 5.x
- Date: 2007-October-17
- Security risk: Highly critical
- Exploitable from: Remote
- Vulnerability: Arbitrary code execution
SA-2007-024 - Drupal Core - HTTP response splitting
- Advisory ID: DRUPAL-SA-2007-024
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: HTTP response splitting

