Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Under certain circumstances, the Drupal core form API evaluates form element access incorrectly. This may lead to a user being able to alter data they should not have access to.
No forms provided by Drupal core are known to be vulnerable. However, forms added through contributed or custom modules or themes may be affected.
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system.
Access to a non-public file is checked only if it is stored in the "private" file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability.
This module enables you to generate print versions of content.
Some installations of the module make use of the dompdf/dompdf third-party dependency.
Security vulnerabilities exist for versions of dompdf/dompdf < 2.0.0
This module enables you to create and manage a version of taxonomy based on configuration entities instead of content. This allows the terms, vocabularies, and their structure to be exported, imported, and managed as site configuration.
The module doesn't sufficiently check access for the edit and delete operations. Users with "access content" permission can edit or delete any term. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.
The Lottiefiles Field module enables you to integrate the lottiefiles features into your page.
The module does not sufficiently filter user-provided text on output, resulting in a Cross-Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content that has lottiefiles fields.
In Drupal 9.4 and higher, drupal/core-recommended allows patch-level vendor updates
The drupal/core-recommended metapackage now allows patch-level updates for Composer dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package.
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which does not affect Drupal core, but may affect some contributed projects or custom code on Drupal sites.
The Apigee Edge module allows connecting a Drupal site to Apigee X / Edge in order to build a developer portal. The developers (user) can view API keys for their respective Apps.
The module discloses information by allowing attackers to view cached information of API Keys from the browser cache for a limited time frame after the user login on the same computer.
Entity Browser Block provides a Block Plugin for every Entity Browser on your site.
The module didn't sufficiently check entity view access in the block form.
This vulnerability is mitigated by the fact that an attacker must be able to place a block - either through the core "Block Layout" page or via a module like Layout Builder.
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.