Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Social Base theme is designed as a base theme for Open Social. This base
theme holds has a lot of sensible defaults. It doesn't however contain much
styling. We expect developers to want to change this for their own project.
When content within the Open Social distribution is placed within a group then the Socialbase theme renders a link to that group on the content view page.
This module enables you to build searches using a wide range of features, data sources and backends.
The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.
This vulnerability is mitigated by the fact that only very specific setups will have this problem and there is no way for an attacker to trigger it.
This module enables themers to get partial data from field render arrays. It gives them more control over the output without drilling deep into the render array or using preprocess functions.
The module doesn't sufficiently apply access restrictions when using the filters field_label, field_value, field_raw and field_target_entity.
This vulnerability is mitigated by the fact that these filters must be used in combination with either unpublished content or access control modules.
This module enables you to utilize S3-compatible storage as a Drupal filesystem.
The module doesn't sufficiently prevent file access across multiple filesystem schemes stored in the same bucket.
This vulnerability is mitigated by the fact that an attacker must obtain a method to access arbitrary file paths, the site must have public or private takeover enabled, and the file metadata cache must be ignored.
Drupal uses the Twig third-party library for content templating and sanitization. Twig has released a security update that affects Drupal. Twig has rated the vulnerability as high severity.
Drupal core's code extending Twig has also been updated to mitigate a related vulnerability.
The Next.js module provides an inline preview for content. Authenticated requests are made to Drupal to fetch JSON:API content and render them in an iframe from the decoupled Next.js site.
The current implementation doesn’t sufficiently check access for fetching data. All requests made to Drupal are authenticated using a single scope with elevated content access. Users without access to content could be exposed to unauthorized content.
This module enables you to accept payments from the Elavon payment provider.
The module doesn't sufficiently verify that it's communicating with the correct server when using the Elavon (On-site) payment gateway, which could lead to leaking valid payment details as well as accepting invalid payment details.
This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site.
jQuery UI is a third-party library used by Drupal. The jQuery UI Checkboxradio module provides the jQuery UI Checkboxradio library (which was previously in Drupal 8 core, but has since been removed from core and moved to this module).
As part of the jQuery UI 1.13.2 update, the jQuery UI project disclosed following security issue that may affect sites using the jQuery UI Checkboxradio module:
Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time.