Security Alerts | What Would Drupal Do?

Security Alerts

This list is for security announcements sent out be the Drupal security team.

URL: http://drupal.org/taxonomy/term/44/0

Updated: 28 weeks 5 days ago

SA-2008-016 - OpenID - Incorrect claimed_id returned for OpenID 2.0

Wed, 2008-01-30 22:40

Advisory ID: DRUPAL-SA-2008-016
Project: OpenID (third-party module)
Version: 5.x-1.0
Date: 2007-January-30
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Identity impersonation

SA-2008-015 - Comment Upload - Arbitrary file upload

Wed, 2008-01-30 20:41

Advisory ID: DRUPAL-SA-2008-015
Project: Comment upload (third-party module)
Version: 4.7.x, 5.x
Date: 2007-January-30
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Arbitrary file upload

SA-2008-014 - Userpoints - Cross site request forgery

Wed, 2008-01-30 20:41

Advisory ID: DRUPAL-SA-2008-014
Project: Userpoints (third-party module)
Version: 4.7.x, 5.x-2.x, 5.x-3.x
Date: 2008-January-30
Security risk: Not critical
Exploitable from: Remote
Vulnerability: Cross site request forgery

SA-2008-013 - Project issue tracking - Arbitrary file upload

Wed, 2008-01-30 20:41

Advisory ID: DRUPAL-SA-2008-013
Project: Project issue tracking (third-party module)
Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x
Date: 2007-January-30
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Arbitrary file upload

SA-2008-012 - Project issue tracking - XSS vulnerability in comment summary tables

Wed, 2008-01-30 20:41

Advisory ID: DRUPAL-SA-2008-012
Project: Project issue tracking (third-party module)
Version: 4.7.x-1.x, 4.7.x-2.x, 5.x-1.x, 5.x-2.x
Date: 2007-January-30
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Cross-site scripting (XSS)

SA-2008-011 - Securesite - Access bypass

Wed, 2008-01-30 20:39

Advisory ID: DRUPAL-SA-2008-011
Project: Secure Site (third-party module)
Version: 5.x-1.0, 4.7.x-1.0
Date: 2008-January-30
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Access bypass

SA-2008-10 - Archive - Cross site scripting

Wed, 2008-01-23 21:37

Advisory ID: DRUPAL-SA-2008-010
Project: Archive (third-party module)
Version: 5.x
Date: 2008-January-23
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Cross site scripting

SA-2008-009 - Workflow - Cross site scripting

Wed, 2008-01-23 21:26

Advisory ID: DRUPAL-SA-2008-009
Project: Workflow (third-party module)
Version: 4.7.x, 5.x
Date: 2008-January-23
Security risk: Not critical
Exploitable from: Remote
Vulnerability: Cross site scripting

SA-2008-008 - Meta tags - Arbitrary code execution

Mon, 2008-01-14 08:48

Advisory ID: DRUPAL-SA-2008-008
Project: Meta tags / Nodewords (third-party module)
Version: 5.x-1.6
Date: 2007-January-14
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Arbitrary code execution

SA-2008-007 - Drupal core - Cross site scripting (register_globals)

Thu, 2008-01-10 21:03

Advisory ID: DRUPAL-SA-2008-007
Project: Drupal core
Version: 4.7.x, 5.x
Date: 2008-January-10
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Cross site scripting when register_globals is enabled.

SA-2007-033 - Feature - CSRF

Wed, 2007-12-05 20:39

Advisory ID: DRUPAL-SA-2007-033
Project: Feature module (third-party module)
Version: 4.7.x, 5.x
Date: 2007-December-05
Security risk: Not critical
Exploitable from: Remote
Vulnerability: Cross site request forgery

SA-2007-032 - Shoutbox - Cross site scripting

Wed, 2007-12-05 20:38

Advisory ID: DRUPAL-SA-2007-032
Project: Shoutbox (third-party module)
Version: 5.x
Date: 2007-December-05
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Cross site scripting

SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled

Wed, 2007-12-05 20:38

Advisory ID: DRUPAL-SA-2007-031
Project: Drupal core
Version: 4.7.x, 5.x
Date: 2007-December-05
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: SQL Injection

SA-2007-030 - Drupal Core - API handling of unpublished comment.

Wed, 2007-10-17 19:50

Advisory ID: DRUPAL-SA-2007-030
Project: Drupal core
Version: 4.7.x, 5.x
Date: 2007-October-17
Security risk: Not critical
Exploitable from: Remote
Vulnerability: Access bypass

SA-2007-029 - Drupal core - User deletion cross site request forgery

Wed, 2007-10-17 19:40

Advisory ID: DRUPAL-SA-2007-029
Project: Drupal core
Version: 5.x
Date: 2007-October-17
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Cross site request forgery

SA-2007-027 - Token - Cross site scripting

Wed, 2007-10-17 19:07

Advisory ID: DRUPAL-SA-2007-027
Project: Several Modules That Use Token module
Version: 5.x
Date: 2007-October-17
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Cross site scripting

SA-2007-028 - Weblinks - Cross site scripting

Wed, 2007-10-17 18:43

Advisory ID: DRUPAL-SA-2007-028
Project: Weblinks (third-party module)
Version: 4.7.x, 5.x
Date: 2007-October-17
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Cross site scripting

SA-2007-026 - Drupal Core - Cross site scripting via uploads

Wed, 2007-10-17 18:38

Advisory ID: DRUPAL-SA-2007-026
Project: Drupal core
Version: 4.7.x, 5.x
Date: 2007-October-17
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Cross site scripting

SA-2007-025 - Drupal core - Arbitrary code execution via installer.

Wed, 2007-10-17 18:33

Advisory ID: DRUPAL-SA-2007-025
Project: Drupal core
Version: 5.x
Date: 2007-October-17
Security risk: Highly critical
Exploitable from: Remote
Vulnerability: Arbitrary code execution

SA-2007-024 - Drupal Core - HTTP response splitting

Wed, 2007-10-17 18:31

Advisory ID: DRUPAL-SA-2007-024
Project: Drupal core
Version: 4.7.x, 5.x
Date: 2007-October-17
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: HTTP response splitting

Hosted By Dreamhost.com

New Modules

Node Tracker

(#11811)template.php: Overriding other theme functions

(#16383)Making additional variables available to your templates

(#5120)Parse xml into sql insert statements

(#32597)Need to create nodes from my module (programatically)

(#17570)Branches | drupal.org

(#42562)Tutorial 3: Creating new widgets with AJAX

(#83349)How to include pages in each other?

(#91709)Added nodeapi('access') to node.module

(#84961)Add a "select all" toggle to forms with many checkboxes (eg: content management -> posts)

(#32077)How to generate <body> class/id attributes for each page

Did you know?

You don't need to register at WWDD to post comments.

Isn't it annoying when you want to comment on an article, but don't want to go through the hassle of creating yet-another-user account at yet-another-website?

Feel free to comment anonymously, or log in with your username@drupal.org account.

We won't mind a bit.