The AltaGrade Blog

Your Drupal 7 Site is Past its End-of-Life: What's Your Next Step?

Nurlan Bayaman's picture

Nurlan

Jun 8, 2025
Add comment

Your Drupal 7 Site is Past its End-of-Life: What's Your Next Step?

If your website is still running on Drupal 7, it's time for some straight talk. The official end-of-life for Drupal 7 was January 5, 2025. This isn't a future deadline to plan for; it's a reality that has already passed. Operating a website on a platform that is no longer officially supported by its community is a significant business risk.
Let's be direct: every day you remain on Drupal 7, you're falling further behind and opening your organization up to unnecessary dangers.

Read More

Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Jan 17, 2024
Add comment

Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

Project: Drupal core
Date: 2024-January-17
Security risk: Moderately critical 11∕25 
Vulnerability: Denial of Service
Affected versions: >=8.0 =10.2

Description

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).

Sites that do not use the Comment module are not affected.

Solution

Install the latest version:

Read More

Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Jan 10, 2024
Add comment

Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

Project: Typogrify
Date: 2024-January-10
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting
Affected versions: <1.3.0

Description

The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter.

The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting (XSS) vulnerability.

Read More

File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Jan 10, 2024
Add comment

File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001

Project: File Entity (fieldable files)
Date: 2024-January-10
Security risk: Moderately critical 14∕25
Vulnerability: Cross Site Scripting, Access bypass

Description

File entity provides interfaces for managing files. It also extends the core file entity, allowing files to be fieldable, grouped into types, viewed (using display modes) and formatted using field formatters.

Read More

Drupal 9 Reaches End of Life

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Nov 1, 2023
Add comment

Drupal 9 Reaches End of Life

On November 1, 2023, Drupal 9 has officially reached its end of life.

Drupal 9 depends on several essential software components, including Symfony, CKEditor, and Twig. With the approaching end of life for Symfony 4, CKEditor 4, and Twig 2, Drupal 9 has now transitioned into its end-of-life phase. There will be no further Drupal 9 releases.

Read More

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Alex Shaposhnik's picture

Alex

 Technical Support Specialist

Sep 27, 2023
Add comment

Entity cache - Critical - Information disclosure - SA-CONTRIB-2023-046

Project: Entity cache
Date: 2023-September-27
Security risk: Critical 16∕25
Vulnerability: Information disclosure

Description

Entity Cache puts core entities into Drupal's cache API.

A recent release of the module does not sanitize certain inputs appropriately. This can lead to unintended behavior when wildcard characters are included in the input.

The impact of this bug should be relatively minor in most configurations, but in worst-case scenarios it could lead to significant Access Bypass.

Read More

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

Nick Onom's picture

Nick

 Marketing Project Manager

Sep 20, 2023
Add comment

Drupal core - Critical - Cache poisoning - SA-CORE-2023-006

Project: Drupal core
Date: 2023-September-20
Security risk: Critical 16∕25
Vulnerability: Cache poisoning
Affected versions: >=8.7.0 =10.0 = 10.1

Description

In certain scenarios, Drupal's JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

Read More

Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

Nurlan Bayaman's picture

Nurlan

Aug 23, 2023
Add comment

Config Pages - Moderately critical - Information Disclosure - SA-CONTRIB-2023-037

Project: Config Pages
Version: 8.x-2.8, 8.x-2.7, 8.x-2.6, 8.x-2.5,8.x-2.4, 8.x-2.3, 8.x-2.2, 8.x-2.1, 8.x-2.0
Date: 2023-August-23
Security risk: Moderately critical 12∕25
Vulnerability: Information Disclosure
Affected versions:

Description

This module enables you to build administrative pages for managing configuration objects, which may then be used elsewhere in the site.

The module doesn't sufficiently validate access when the JSONAPI module is also installed.

Read More

ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

Nurlan Bayaman's picture

Nurlan

Aug 23, 2023
Add comment

ACL - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-034

Project: ACL
Date: 2023-August-23
Security risk: Critical 17∕25
Vulnerability: Arbitrary PHP code execution
Affected versions:

Description

The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

Read More

Pages