View online: https://www.drupal.org/node/2831900
* Advisory ID: DRUPAL-SA-CONTRIB-2016-062
* Project: Elysia Cron [1] (third-party module)
* Version: 7.x
* Date: 2016-November-30
* Security risk: 11/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Arbitrary PHP code execution
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to manage cron jobs.
The module allows users with the permission "Administer elysia cron" to
execute arbitrary PHP code via cron.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer elysia cron". This permission is not marked
as "restricted".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Elysia cron 7.x-2.x versions prior to 7.x-2.4.
Drupal core is not affected. If you do not use the contributed Elysia Cron
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Revoke the permission "Administer elysia cron" for untrusted users.
Elysia cron 7.x-2.4 [5] and up will indicate that the permission is
restricted.
Also see the Elysia Cron [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Heine Deelstra [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Kiselev Dmitry [8] the module co-maintainer
* David Snopek [9] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/elysia_cron
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/elysia_cron
[5] https://www.drupal.org/project/elysia_cron/releases/7.x-2.4
[6] https://www.drupal.org/project/elysia_cron
[7] https://www.drupal.org/user/17943
[8] https://www.drupal.org/user/1945174
[9] https://www.drupal.org/user/266527
[10] https://www.drupal.org/user/266527
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/SA-CORE-2016-005
* Advisory ID: DRUPAL-SA-CORE-2016-005
* Project: Drupal core [1]
* Version: 7.x, 8.x
* Date: 2016-November-16
* Security risk: 13/25 ( Moderately Critical)
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
.... Inconsistent name for term access query (Less critical - Drupal 7 and
Drupal 8)
Drupal provides a mechanism to alter database SELECT queries before they are
executed. Contributed and custom modules may use this mechanism to restrict
access to certain entities by implementing hook_query_alter() or
hook_query_TAG_alter() in order to add additional conditions. Queries can be
distinguished by means of query tags. As the documentation on
EntityFieldQuery::addTag() [3] suggests, access-tags on entity queries
normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the
taxonomy module's access query tag predated this system and used term_access
as the query tag instead of taxonomy_term_access.
As a result, before this security release modules wishing to restrict access
to taxonomy terms may have implemented an unsupported tag, or needed to look
for both tags (term_access and taxonomy_term_access) in order to be
compatible with queries generated both by Drupal core as well as those
generated by contributed modules like Entity Reference. Otherwise information
on taxonomy terms might have been disclosed to unprivileged users.
.... Incorrect cache context on password reset page (Less critical - Drupal
8)
The user password reset form does not specify a proper cache context, which
can lead to cache poisoning and unwanted content on the page.
.... Confirmation forms allow external URLs to be injected (Moderately
critical - Drupal 7)
Under certain circumstances, malicious users could construct a URL to a
confirmation form that would trick users into being redirected to a 3rd party
website after interacting with the form, thereby exposing the users to
potential social engineering attacks.
.... Denial of service via transliterate mechanism (Moderately critical -
Drupal 8)
A specially crafted URL can cause a denial of service via the transliterate
mechanism.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [4] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Drupal core 7.x versions prior to 7.52
* Drupal core 8.x versions prior to 8.2.3
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use Drupal 7.x, upgrade to Drupal core 7.52 [5]
* If you use Drupal 8.x, upgrade to Drupal core 8.2.3 [6]
Also see the Drupal core [7] project page.
-------- REPORTED BY
---------------------------------------------------------
Inconsistent name for term access query:
* znerol [8]
Incorrect cache context on password reset page:
* Charlotte Bone [9]
Confirmation forms allow external URLs to be injected:
* jnicola [10]
* Ezra Wolfe [11]
Denial of service via transliterate mechanism:
* Lee Rowlands [12] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
Inconsistent name for term access query:
* znerol [13]
* xjm [14] of the Drupal Security Team
* David Rothstein [15] of the Drupal Security Team
* Dave Reid [16] of the Drupal Security Team
* Larry Garfield [17]
Incorrect cache context on password reset page:
* Chris McCafferty [18], provisional Drupal Security Team member
* xjm [19] of the Drupal Security Team
* Alex Pott [20] of the Drupal Security Team
* Michael Hess [21] of the Drupal Security Team
* Nathaniel Catchpole [22] of the Drupal Security Team
Confirmation forms allow external URLs to be injected:
* Peter Wolanin [23] of the Drupal Security Team
* Alex Pott [24] of the Drupal Security Team
* David Rothstein [25] of the Drupal Security Team
Denial of service via transliterate mechanism:
* Lee Rowlands [26] of the Drupal Security Team
* Cathy Theys [27] of the Drupal Security Team
* Alex Pott [28] of the Drupal Security Team
* Peter Wolanin [29] of the Drupal Security Team
* Daniel Wehner [30]
* Nate Haug [31]
* Heine Deelstra [32] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [33].
Learn more about the Drupal Security team and their policies [34], writing
secure code for Drupal [35], and securing your site [36].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [37]
[1] https://www.drupal.org/project/drupal
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://api.drupal.org/api/drupal/includes!entity.inc/function/EntityFieldQ…
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/drupal/releases/7.52
[6] https://www.drupal.org/project/drupal/releases/8.2.3
[7] https://www.drupal.org/project/drupal
[8] https://www.drupal.org/user/63999
[9] https://www.drupal.org/u/charlotteb
[10] https://www.drupal.org/u/jnicola
[11] https://www.drupal.org/u/ezraw
[12] https://www.drupal.org/u/larowlan
[13] https://www.drupal.org/user/63999
[14] https://www.drupal.org/user/65776
[15] https://www.drupal.org/u/David_Rothstein
[16] https://www.drupal.org/u/dave-reid
[17] https://www.drupal.org/u/Crell
[18] https://www.drupal.org/u/cilefen
[19] https://www.drupal.org/user/65776
[20] https://www.drupal.org/user/157725
[21] https://www.drupal.org/u/mlhess
[22] https://www.drupal.org/u/catch
[23] https://www.drupal.org/u/pwolanin
[24] https://www.drupal.org/user/157725
[25] https://www.drupal.org/u/David_Rothstein
[26] https://www.drupal.org/u/larowlan
[27] https://www.drupal.org/u/yesct
[28] https://www.drupal.org/user/157725
[29] https://www.drupal.org/u/pwolanin
[30] https://www.drupal.org/u/dawehner
[31] https://www.drupal.org/u/quicksketch
[32] https://www.drupal.org/u/Heine
[33] https://www.drupal.org/contact
[34] https://www.drupal.org/security-team
[35] https://www.drupal.org/writing-secure-code
[36] https://www.drupal.org/security/secure-configuration
[37] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2826155
* Advisory ID: DRUPAL-SA-CONTRIB-2016-061
* Project: Views Send [1] (third-party module)
* Version: 7.x
* Date: 2016-November-09
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Views Send module enables you to send mail to multiple users from a View.
The module doesn't sufficiently filter potential user-supplied data when
previewing the e-mail which can lead to a Cross Site Scripting (XSS)
vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "mass mailing with views_send".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Views Send 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Views Send [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Views Send module for Drupal 7.x, upgrade to Views Send
7.x-1.3 [5]
Also see the Views Send [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* A RICHARD [7]
-------- FIXED BY
------------------------------------------------------------
* Hans Fredrik Nordhaug [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/views_send
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/views_send
[5] https://www.drupal.org/project/views_send/releases/7.x-1.3
[6] https://www.drupal.org/project/views_send
[7] https://www.drupal.org/user/3240053
[8] https://www.drupal.org/user/40521
[9] https://www.drupal.org/u/dsnopek
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2824455
* Advisory ID: DRUPAL-SA-CONTRIB-2016-060
* Project: Workbench Moderation [1] (third-party module)
* Version: 7.x
* Date: 2016-November-02
* Security risk: 11/25 ( Moderately Critical)
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to create and manage custom editorial workflows
around a site's content.
The module could result in unpublished content being temporarily made visible
via content lists, e.g. as generated by Views, when its editorial status was
being changed, e.g. from "draft" to "needs work".
This vulnerability is mitigated by the fact that the content lists must be
regenerated at exactly the moment when a person saves the node.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Workbench Moderation 7.x-1.x versions and 7.x-3.x versions prior to
7.x-3.0.
Drupal core is not affected. If you do not use the contributed Workbench
Moderation [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Workbench Moderation module for Drupal 7.x, upgrade to
Workbench Moderation 7.x-3.0. [5]
Also see the Workbench Moderation [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Colin Smith [7].
-------- FIXED BY
------------------------------------------------------------
* Steve Persch [8], a module comaintainer.
* Larry Garfield [9], a module comaintainer.
* Ken Rickard [10], a module comaintainer.
* Peter Philipp [11], a module comaintainer.
* Damien McKenna [12] of the Drupal Security Team.
-------- COORDINATED BY
------------------------------------------------------
* The Drupal Security Team.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/workbench_moderation
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/workbench_moderation
[5] https://www.drupal.org/project/workbench_moderation/releases/7.x-3.0
[6] https://www.drupal.org/project/workbench_moderation
[7] https://www.drupal.org/user/3067047
[8] https://www.drupal.org/u/stevector
[9] https://www.drupal.org/u/crell
[10] https://www.drupal.org/u/agentrickard
[11] https://www.drupal.org/u/das-peter
[12] https://www.drupal.org/u/damienmckenna
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2824436
* Advisory ID: DRUPAL-SA-CONTRIB-2016-059
* Project: D8 Editor File upload [1] (third-party module)
* Version: 8.x
* Date: 2016-November-02
* Security risk: 12/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
* Vulnerability:
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to upload files directly within the CKEditor and
create a link to download the given file.
The module doesn't sufficiently check the uploaded file extensions when the
allowed extensions list is not the default one.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to use a text filter that enables this CKEditor plugin
and does not use the default allowed extensions.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* D8 Editor File Upload 8.x-1.x versions prior to 8.x-1.2.
Drupal core is not affected. If you do not use the contributed D8 Editor File
upload [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the D8 Editor File Upload module for Drupal 8.x, upgrade to D8
Editor File Upload 8.x-1.2 [5]
Also see the D8 Editor File upload [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Greg Dunlap (heyrocker) [7] of the Drupal Security Team
* Tim Hayward (thtas) [8]
-------- FIXED BY
------------------------------------------------------------
* Tim Hayward (thtas) [9]
* Greg Dunlap (heyrocker) [10] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* David Snopek [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/editor_file
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/editor_file
[5] https://www.drupal.org/project/editor_file/releases/8.x-1.2
[6] https://www.drupal.org/project/editor_file
[7] https://www.drupal.org/u/heyrocker
[8] https://www.drupal.org/u/thtas
[9] https://www.drupal.org/u/thtas
[10] https://www.drupal.org/u/heyrocker
[11] https://www.drupal.org/u/dsnopek
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2824413
* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: Bootstrap [1] (third-party theme)
* Version: 7.x
* Date: 2016-November-02
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
The Bootstrap theme enables you to integrate the Bootstrap framework with
Drupal.
The theme does not sufficiently filter potential user-supplied data when it's
passed to certain templates can which lead to a Persistent Cross Site
Scripting (XSS) vulnerability.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Bootstrap 7.x-3.x versions prior to 7.x-3.7
Drupal core is not affected. If you do not use the contributed Bootstrap [4]
theme, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Bootstrap theme from the 7.x-3.x branch, upgrade to
Bootstrap 7.x-3.8 [5]
Also see the Bootstrap [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Peter Berryman [7]
-------- FIXED BY
------------------------------------------------------------
* Mark Carver [8] the theme maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/bootstrap
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/bootstrap
[5] https://www.drupal.org/project/bootstrap/releases/7.x-3.8
[6] https://www.drupal.org/project/bootstrap
[7] https://www.drupal.org/user/554130
[8] https://www.drupal.org/u/mark-carver
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2824406
* Advisory ID: DRUPAL-SA-CONTRIB-2016-056
* Project: Like/Dislike [1] (third-party module)
* Version: 7.x
* Date: 2016-November-02
* Security risk: 15/25 ( Moderately Critical)
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Cross Site Request Forgery
-------- DESCRIPTION
---------------------------------------------------------
Like/Dislike module can be used to Like and Dislike actions on any content.
It is powered by Drupal field concept.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* All versions of like/dislike module.
Drupal core is not affected. If you do not use the contributed Like/Dislike
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the like/dislike module for Drupal 7.x you should uninstall it.
Also see the Like/Dislike [5] project page.
-------- REPORTED BY
---------------------------------------------------------
* Naveen Valecha [6]
-------- FIXED BY
------------------------------------------------------------
Not applicable.
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [7].
Learn more about the Drupal Security team and their policies [8], writing
secure code for Drupal [9], and securing your site [10].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [11]
[1] https://www.drupal.org/project/like_dislike
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/like_dislike
[5] https://www.drupal.org/project/like_dislike
[6] https://www.drupal.org/user/2665733
[7] https://www.drupal.org/contact
[8] https://www.drupal.org/security-team
[9] https://www.drupal.org/writing-secure-code
[10] https://www.drupal.org/security/secure-configuration
[11] https://twitter.com/drupalsecurity
View online: https://www.drupal.org/node/2824402
* Advisory ID: DRUPAL-SA-CONTRIB-2016-055
* Project: Menu Views [1] (third-party module)
* Version: 7.x
* Date: 2016-November-02
* Security risk: 12/25 ( Moderately Critical)
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables users to create menu items that render views instead of
links. This is useful for creating "mega-menus".
The module doesn't sufficiently filter title and breadcrumb fields for
possible cross-site scripting.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer menu views".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Menu Views 7.x-2.x versions prior to 7.x-2.4.
Drupal core is not affected. If you do not use the contributed Menu Views [4]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Menu Views module for Drupal 7.x, upgrade to Menu Views
7.x-2.4 [5]
Also see the Menu Views [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Michael Hess [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Ron Shimshock [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/menu_views
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/menu_views
[5] https://www.drupal.org/project/menu_views/releases/7.x-2.4
[6] https://www.drupal.org/project/menu_views
[7] https://www.drupal.org/u/mlhess
[8] https://www.drupal.org/u/ron_s
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity