Since its official release in January 5, 2011 for many years Drupal 7.0 had been the content management system of choice for the majority of the web-projects hosted on AltaGrade platform. However, the picture has been gradually changing after Drupal 7's end-of-life was announced to take place sometime in November 2021 with growing number of Drupal 8, Wordpress, Backdrop or other types of websites coming.
Security risk: Moderately critical 13∕25
Vulnerability: Cross site scripting
Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in.
The module doesn't sufficiently filter menu titles when used in a dropdown in the main menu.
This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu.
Install the latest version:
Project: Drupal core Version: 8.8.x-dev, 8.7.x-dev, 7.x-dev Date: 2019-December-18 Security risk: Critical 17∕25 Vulnerability: Multiple vulnerabilities
Drupal Security team released important security updates for Drupal 7 and Drupal 8 which address a critical and three "moderately critical" vulnerabilities in its core system.
Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096 Project: Webform Versions: 7.x-4.x, 7.x-3.x Date: 2019-December-11 Security risk: Critical 15∕25 Vulnerability: Multiple vulnerabilities
This module enables you to create forms to collect information from users and report, analyze and distribute it by email.
Project: Smart Trim Version: 8.x-1.x Date: 2019-December-11 Security risk: Moderately critical Vulnerability: Cross site scripting
The Smart Trim module allows site builders additional control with text summary fields.
The module doesn't sufficiently filter text when certain options are selected.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when certain options are selected for the trimmed output.
Projects: Multiple Date: 2019-November-13 Security risk: Critical Vulnerability: Unsupported
Drupal Security team released multiple security advisories earlier today, notifying the following contributed modules and themes have been marked as unsupported and therefore should be either fixed or uninstalled:
Project: Open Social
Security risk: Critical 15∕25
Vulnerability: Insecure Session Management
Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.
Project: Booking and Availability Management Tools for Drupal Date: 2019-October-16 Security risk: Moderately critical 11∕25 Vulnerability: Access Bypass
The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.
The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.
Project: Maxlength Date: 2019-October-09 Security risk: Moderately critical 13∕25 Vulnerability: Cross Site Scripting
This module enables you to set a maximum length allowed on text fields and indicate how many characters are left.
The module doesn't sufficiently filter strings leading to a Cross Site Scripting (XSS) vulnerability.
Project: Localization update Date: 2019-October-02 Security risk: Moderately critical 10∕25 Vulnerability: Insecure server configuration
This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server.