Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Image Field Caption (image_field_caption) adds an extra text area for captions on image fields.
The module doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability.
The vulnerability is mitigated by several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.
Doubleclick for Publishers (DFP) module enables a site to place ads from Doubleclick For Publishers.
The module doesn't sanitize user input in certain cases, which leads to Cross-Site-Scripting (XSS) vulnerabilities. An attacker that can create or edit certain entities may be able to exploit a Cross-Site-Scripting (XSS) vulnerability to target visitors of the site, including site admins with privileged access.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer DFP".
This module enables you to add URL fields to entity types with a variety of options.
The module doesn't sufficiently filter output when token processing is disabled on an individual field.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and the token processing option must be disabled.
Drupal 9.3 implemented a generic entity access API for entity revisions. However, this API was not completely integrated with existing permissions, resulting in some possible access bypass for users who have access to use revisions of content generally, but who do not have access to individual items of node and media content.
This vulnerability only affects sites using Drupal's revision system.
Drupal core's form API has a vulnerability where certain contributed or custom modules' forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data.
We do not know of affected forms within core itself, but contributed and custom project forms could be affected. Installing this update will fix those forms.
The Rename Admin Path module provides additional security to Drupal sites by renaming the admin paths. The module has a vulnerability with allows attackers to bypass the protection by using specially crafted URLs.
The risk is mitigated by the fact that, even though the attacker can bypass the protection offered by this module, all regular permissions still apply.
This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.
The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user.
This vulnerability is mitigated by the fact that an attacker must have access to an overview of users with the views bulk operations module enabled. E.g. The admin_views module provides such a view.
Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites.
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.