View online: https://www.drupal.org/node/2636502
* Advisory ID: DRUPAL-SA-CONTRIB-2015-175
* Project: Block Class [1] (third-party module)
* Version: 7.x
* Date: 2015-December-16
* Security risk: 19/25 ( Critical)
AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to add custom classes to blocks.
The module doesn't sufficiently scrub class names written by a malicious
block class administrator.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer block classes".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* block_class 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Block Class
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the block_class module for Drupal 7.x, upgrade to block_class
7.x-2.2 [5]
Also see the Block Class [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Neil Drumm [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Berend de Boer [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Ben Dougherty [9] of the Drupal Security Team
* Owen Barton [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/block_class
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/block_class
[5] https://www.drupal.org/node/2636498
[6] https://www.drupal.org/project/block_class
[7] https://www.drupal.org/user/23
[8] https://www.drupal.org/user/143552
[9] https://www.drupal.org/user/1852732
[10] https://www.drupal.org/user/19668
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2636380
* Advisory ID: DRUPAL-SA-CONTRIB-2015-174
* Project: Open Atrium [1] (third-party module)
* Version: 7.x
* Date: 2015-December-16
* Security risk: 17/25 ( Critical)
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Open Atrium distribution enables you to create an intranet.
Open Atrium Core module doesn't sufficiently sanitize some user supplied
text, leading to a reflected Cross Site Scripting vulnerability (XSS).
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Open Atrium distribution 7.x-2.x versions prior to 7.x-2.51
* Open Atrium Core module 7.x-2.x versions prior to 7.x-2.66
Drupal core is not affected. If you do not use the contributed Open Atrium
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Open Atrium distribution for Drupal 7.x:
* Upgrade to Open Atrium 7.x-2.51
If you use the Open Atrium Core module for Drupal 7.x:
* Upgrade to Open Atrium Core 7.x-2.66 [5]
Also see the Open Atrium [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* kris84 [7]
* jbylsma [8]
-------- FIXED BY
------------------------------------------------------------
* kris84 [9]
* Mike Potter [10], a module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/openatrium
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/openatrium
[5] https://www.drupal.org/node/2636350
[6] https://www.drupal.org/project/openatrium
[7] https://www.drupal.org/user/142812
[8] https://www.drupal.org/u/jbylsma
[9] https://www.drupal.org/user/142812
[10] https://www.drupal.org/user/616192
[11] https://www.drupal.org/u/pere-orga
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2636344
* Advisory ID: DRUPAL-SA-CONTRIB-2015-172
* Project: Values [1] (third-party module)
* Version: 7.x
* Date: 2015-December-16
* Security risk: 16/25 ( Critical)
AC:Basic/A:Admin/CI:All/II:All/E:Proof/TD:Uncommon [2]
* Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to create key|value pairs for use in list fields,
webforms etc.
The module includes an import page that runs eval() on an exported code block
(ctools), but the permission for the page does not warn about security
concerns of importing raw php code like this (trusted permission).
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "import value sets".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Values 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Values [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the values module for Drupal 7.x, upgrade to Values 7.x-1.2
[5]
Also see the Values [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Sam Becker [7]
-------- FIXED BY
------------------------------------------------------------
* Chris Eastwood [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
* Michael Hess [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/values
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/values
[5] https://www.drupal.org/node/2622534
[6] https://www.drupal.org/project/values
[7] https://www.drupal.org/user/1485048
[8] https://www.drupal.org/user/823702
[9] https://www.drupal.org/u/greggles
[10] https://www.drupal.org/u/mlhess
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/PSA-2015-001
* Advisory ID: DRUPAL-PSA-CONTRIB-2015-001
* Project: Drupal core [1]
* Version: 6.x, 7.x, 8.x
* Date: 2015-December-02
* Security risk: 17/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Exploit/TD:Uncommon [2]
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
When a Drupal installation is not completed past the database configuration
phase and install.php is left accessible via the internet, any visitor to
install.php may complete the installation with a remote database of their
selection.
Such a malicious user may use the remote database to execute code on the
server.
The above also applies to sites that react to certain hostnames with an
installation page and have a sites folder owned or writable by the webserver.
Such inadvertent multisites may occur when no default settings.php is present
and directory permissions are misconfigured.
These vulnerabilities are mitigated by setting directory and/or file
permissions that prevent the webserver from writing to the sites/default/ and
sites/ directories.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
Drupal 6 core, Drupal 7 core and Drupal 8 core.
-------- SOLUTION
------------------------------------------------------------
Always complete installations fully on servers exposed to the internet.
Ensure that the webserver does not own the sites folder and cannot write to
the sites folder.
Consider removing install.php after installation.
Consider installing and automating the execution of Security review [4] which
will identify weak file permissions and ownership.
Also see the Drupal core [5] project page.
-------- COORDINATED BY
------------------------------------------------------
* Heine Deelstra [6] of the Drupal security team
* Greg Knaddison [7] of the Drupal security team
* Michael Hess [8] of the Drupal security team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and securing your site [12].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/security_review
[5] https://www.drupal.org/project/drupal
[6] https://www.drupal.org/u/heine
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mlhess
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2627638
* Advisory ID: DRUPAL-SA-CONTRIB-2015-171
* Project: Token Insert Entity [1] (third-party module)
* Version: 7.x
* Date: 2015-December-02
* Security risk: 10/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass, Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module offers a WYSIWYG button to embed rendered entities in fields
using a WYSIWYG (normally the body of a node).
There is a vulnerability because a user that can create or edit content and
has the "insert entity token" permission can insert tokens relating to e.g.
an unpublished node and allow any (including anonymous) users to see this
rendered node embedded into the main node.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Token Insert Entity 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Token Insert
Entity [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Token Insert Entity module for Drupal 7.x, upgrade to
Token
Insert Entity 7.x-1.1 [5]
Also see the Token Insert Entity [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* killes [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Juampy NR [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Peter Wolanin [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/token_insert_entity
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/token_insert_entity
[5] https://www.drupal.org/node/2571905
[6] https://www.drupal.org/project/token_insert_entity
[7] https://www.drupal.org/user/227
[8] https://www.drupal.org/user/682736
[9] https://www.drupal.org/user/49851
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2627580
* Advisory ID: DRUPAL-SA-CONTRIB-2015-170
* Project: Apache Solr Search [1] (third-party module)
* Version: 6.x, 7.x
* Date: 2015-December-02
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:None/CI:None/II:Some/E:Proof/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to connect to an Apache Solr search server to provide
a replacement for Drupal core content search and provide both extra
features
and better search performance and relevance.
The module doesn't correctly check access when attempting to delete
non-default search environments.
This vulnerability is mitigated by the fact that the site must have a
non-default environment configured and an attacker must discover the ID of
the environment.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Apache Solr Search 6.x-3.x versions prior to 6.x-3.1.
* Apache Solr Search 7.x-1.x versions prior to 7.x-1.8.
Drupal core is not affected. If you do not use the contributed Apache Solr
Search [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Apache Solr Search module for Drupal 6.x, upgrade to
Apache
Solr Search 6.x-3.1 [5]
* If you use the Apache Solr Search module for Drupal 7.x, upgrade to
Apache
Solr Search 7.x-1.8 [6]
Also see the Apache Solr Search [7] project page.
-------- REPORTED BY
---------------------------------------------------------
* Peter Clarke [8]
-------- FIXED BY
------------------------------------------------------------
* Dave Reid [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Peter Wolanin [10] of the Drupal Security Team, and a module maintainer
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/apachesolr
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/apachesolr
[5] https://www.drupal.org/node/2627584
[6] https://www.drupal.org/node/2627582
[7] https://www.drupal.org/project/apachesolr
[8] https://www.drupal.org/user/883708
[9] https://www.drupal.org/user/53892
[10] https://www.drupal.org/user/49851
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2627478
* Advisory ID: DRUPAL-SA-CONTRIB-2015-169
* Project: Chat Room [1] (third-party module)
* Version: 7.x
* Date: 2015-December-02
* Security risk: 11/25 ( Moderately Critical)
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
Chat Room enables site owners to integrate chats into nodes by adding the
chat room field to them. The module relies on a websocket connection to send
chat messages to the client.
The module doesn't sufficiently validate access before setting up the
websocket. As a result, users may receive messages from chat rooms they don't
have access to via the websocket.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Chat Room 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Chat Room [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Chat Room module for Drupal 7.x, upgrade to Chat Room
7.x-2.2 [5]
Also see the Chat Room [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Gergely Lekli [7]
-------- FIXED BY
------------------------------------------------------------
* Gergely Lekli [8]
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/chatroom
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/chatroom
[5] https://www.drupal.org/node/2627428
[6] https://www.drupal.org/project/chatroom
[7] https://www.drupal.org/user/930940
[8] https://www.drupal.org/user/930940
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2627448
* Advisory ID: DRUPAL-SA-CONTRIB-2015-168
* Project: Mollom [1] (third-party module)
* Version: 6.x
* Date: 2015-December-02
* Security risk: 16/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
The Mollom module allows users to protect their website from spam. As part
of the spam protection, Mollom enables the website administrator to create a
blacklist. When content is submitted that matches terms on the black list it
will be automatically marked as spam and rejected per the site configuration.
The module doesn't sufficiently check for access when accessing or modifying
the blacklist for the site. This enables a potential attacker to add,
update, or remove their own terms to a site-wide blacklist. The potential
exists for an attacker to remove existing blacklist terms which could allow
their content to be accepted onto the site.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Mollom 6.x-2.x versions between 6.x-2.7 through 6.x-2.14.
This does not affect the modules for Drupal 7 or Drupal 8.
Drupal core is not affected. If you do not use the contributed Mollom [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Mollom module for Drupal 6.x, upgrade to Mollom 6.x-2.15
[5]
Also see the Mollom [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Nick Veenhof [7], module maintainer
-------- FIXED BY
------------------------------------------------------------
* Nick Veenhof [8], module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/mollom
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/mollom
[5] https://www.drupal.org/node/2626872
[6] https://www.drupal.org/project/mollom
[7] https://www.drupal.org/user/122682
[8] https://www.drupal.org/user/122682
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2627444
* Advisory ID: DRUPAL-SA-CONTRIB-2015-167
* Project: RESTful [1] (third-party module)
* Version: 7.x
* Date: 2015-December-02
* Security risk: 8/25 ( Less Critical)
AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:Default [2]
* Vulnerability: Access bypass
-------- DESCRIPTION
---------------------------------------------------------
RESTful module allows Drupal to be operated via RESTful HTTP requests, using
best practices for security, performance, and usability.
The module doesn't sufficiently validate some user input. Specific code could
be run arbitrarily by an attacker in certain circumstances.
This vulnerability is mitigated by the fact that only sites with a custom
implementation of methods from a specific class are affected. Also, that
custom code would need to affect data or impact the site in some way.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* RESTful 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed RESTful [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the RESTful 7.x-1.x module for Drupal 7.x, upgrade to RESTful
7.x-1.6 [5]
Also see the RESTful [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Dan James [7]
-------- FIXED BY
------------------------------------------------------------
* Mateu Aguiló Bosch [8], module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/restful
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/restful
[5] https://www.drupal.org/node/2627046
[6] https://www.drupal.org/project/restful
[7] https://www.drupal.org/user/1147930
[8] https://www.drupal.org/u/e0ipso
[9] https://www.drupal.org/u/pere-orga
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity