Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.
This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.
The core REST and contributed GraphQL modules are not affected.
This module enables users to log in by email address with minimal configurations.
Drupal core contains protection against brute force attacks via a flood control mechanism. This module's functionality did not replicate the flood control, enabling brute force attacks.
The Webprofiler module provides a way of displaying the Symfony profile debugging tool at the bottom of each page.
The abbr_class Twig filter can be used to bypass the Twig auto-escape feature.
This vulnerability is mitigated by the fact that it is only exposed when the filter is specifically used in a theme to render content that contains an attack vector.
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.