March 2016 - Security-news - lists.drupal.org

Login one time - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-017
by security-news＠drupal.org 23 Mar '16

23 Mar '16

View online: https://www.drupal.org/node/2692953 * Advisory ID: DRUPAL-SA-CONTRIB-2016-017 * Project: Login one time [1] (third-party module) * Version: 6.x, 7.x * Date: 2016-March-23 * Security risk: 15/25 ( Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Login one time module provides the ability to email one-time login links to users. The module doesn't sufficiently sanitize user input supplied to an ajax callback function. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Login one time 7.x-2.x versions prior to 7.x-2.10. Drupal core is not affected. If you do not use the contributed Login one time [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Login on time module for Drupal 7.x, upgrade to Login one time 7.x-2.10 [5] Also see the Login one time [6] project page. -------- REPORTED BY --------------------------------------------------------- * Tobias Bähr [7] -------- FIXED BY ------------------------------------------------------------ * Tobias Bähr [8] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Heine Deelstra [10] of the Drupal Security Team * Cash Williams [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/login_one_time [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/login_one_time [5] https://www.drupal.org/node/2692597 [6] https://www.drupal.org/project/login_one_time [7] https://www.drupal.org/u/tobiasb [8] https://www.drupal.org/u/tobiasb [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/heine [11] https://www.drupal.org/u/cashwilliams [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

Fast Autocomplete - Critical - DOS vulnerability - SA-CONTRIB-2016-016
by security-news＠drupal.org 16 Mar '16

16 Mar '16

View online: https://www.drupal.org/node/2688461 * Advisory ID: DRUPAL-SA-CONTRIB-2016-016 * Project: Fast Autocomplete [1] (third-party module) * Version: 7.x * Date: 2016-March-16 * Security risk: 12/25 ( Moderately Critical) AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Denial of Service -------- DESCRIPTION --------------------------------------------------------- This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to "cache" suggestions making the autocomplete very fast. The module doesn't sufficiently validate the incoming language parameter in the request path when a json file of the module is requested resulting in folders being created in the public files directory where the module stores its json files. This vulnerability can be exploited to perform a DOS-attack by depletion of available inodes on the webserver. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Fast Autocomplete 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Fast Autocomplete [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Fast Autocomplete module for Drupal 7.x, upgrade to Fast Autocomplete 7.x-1.1 [5] Also see the Fast Autocomplete [6] project page. -------- REPORTED BY --------------------------------------------------------- * Martijn van Wensen [7] -------- FIXED BY ------------------------------------------------------------ * Martijn van Wensen [8] providing the patch * Baris Wanschers [9] reviewing/refining the patch * Martijn Vermeulen [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/fac [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/fac [5] https://www.drupal.org/node/2688365 [6] https://www.drupal.org/project/fac [7] https://www.drupal.org/u/mvwensen [8] https://www.drupal.org/u/mvwensen [9] https://www.drupal.org/u/barisw [10] https://www.drupal.org/u/marty2081 [11] https://www.drupal.org/u/pere-orga [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity

1 0

Scald File - Critical - Remote Code Execution - SA-CONTRIB-2016-015
by security-news＠drupal.org 10 Mar '16

10 Mar '16

View online: https://www.drupal.org/node/2684601 * Advisory ID: DRUPAL-SA-CONTRIB-2016-015 * Project: Scald File Provider [1] (third-party module) * Version: 7.x * Date: 2016-March-09 * Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: Arbitrary PHP code execution -------- DESCRIPTION --------------------------------------------------------- When a PDF is uploaded in Scald File, various tools can be executed if they're installed on the server, to try to generate a thumbnail out of that PDF. This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creation tools installed on the server (pdfdraw, convert or mudraw). It could also be partially mitigated by using the transliteration module for uploaded files. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Scald File module 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Scald File Provider [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Scald File module for Drupal 7.x, upgrade to Scald File 7.x-1.3 [5] Also see the Scald File Provider [6] project page. -------- REPORTED BY --------------------------------------------------------- * DeFr [7] -------- FIXED BY ------------------------------------------------------------ * DeFr [8] -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/scald_file [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/scald_file [5] https://www.drupal.org/node/2678810 [6] https://www.drupal.org/project/scald_file [7] https://www.drupal.org/u/defr [8] https://www.drupal.org/u/defr [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

Fieldable Panels Panes - Moderately Critical - Access Bypass - SA-CONTRIB-2016-014
by security-news＠drupal.org 02 Mar '16

02 Mar '16

View online: https://www.drupal.org/node/2679589 * Advisory ID: DRUPAL-SA-CONTRIB-2014-014 * Project: Fieldable Panels Panes (FPP) [1] (third-party module) * Version: 7.x * Date: 2016-March-02 * Security risk: 10/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module enables you to create fieldable entities that have special integration with Panels. The module doesn't check access permissions on a file when it is attached to a field on a Fieldable Panels Panes entity that has been made private and where the file field is set to store files using the private file storage system. This vulnerability is mitigated by the fact that it is an uncommon use case for the module. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.8. Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Fieldable Panels Panes module for Drupal 7.x, upgrade to Fieldable Panels Panes 7.x-1.8 [5] Also see the Fieldable Panels Panes (FPP) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Mercer [7]. -------- FIXED BY ------------------------------------------------------------ * Greg Mercer [8]. * Damien McKenna [9], the module maintainer. -------- COORDINATED BY ------------------------------------------------------ * Damien McKenna [10], provisional member of the Drupal Security Team. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/fieldable_panels_panes [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/fieldable_panels_panes [5] https://www.drupal.org/node/2679587 [6] https://www.drupal.org/project/fieldable_panels_panes [7] https://www.drupal.org/u/gmercer [8] https://www.drupal.org/u/gmercer [9] https://www.drupal.org/u/damienmckenna [10] https://www.drupal.org/u/damienmckenna [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0

Node Notify - Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-013 - Unsupported
by security-news＠drupal.org 02 Mar '16

02 Mar '16

View online: https://www.drupal.org/node/2679541 * Advisory ID: DRUPAL-SA-CONTRIB-2016-013 * Project: Node Notify [1] (third-party module) * Version: 7.x * Date: 2016-March-02 * Security risk: 18/25 ( Critical) AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting, Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- Node Notify is a lightweight module to allow subscription to comments on nodes for registered and anonymous users. The module doesn't sufficiently sanitize some user provided content, leading to a Cross Site Scripting vulnerability. Additionally, some paths were not protected against CSRF. An attacker could cause another user to subscribe and unsubscribe notifications by getting the user's browser to make a request to a specially-crafted URL. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Node Notify module. Drupal core is not affected. If you do not use the contributed Node Notify [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Node Notify module for Drupal 7.x you should uninstall it. Also see the Node Notify [5] project page. -------- REPORTED BY --------------------------------------------------------- * Floris Walraet [6] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [11] [1] https://www.drupal.org/project/node_notify [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/node_notify [5] https://www.drupal.org/project/node_notify [6] https://www.drupal.org/user/413679 [7] https://www.drupal.org/contact [8] https://www.drupal.org/security-team [9] https://www.drupal.org/writing-secure-code [10] https://www.drupal.org/security/secure-configuration [11] https://twitter.com/drupalsecurity

1 0

Hubspot CTA - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-012 - Unsupported
by security-news＠drupal.org 02 Mar '16

02 Mar '16

View online: https://www.drupal.org/node/2679539 * Advisory ID: DRUPAL-SA-CONTRIB-2016-012 * Project: Hubspot CTA [1] (third-party module) * Version: 7.x * Date: 2016-March-02 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- This module enables you to embed a Hubspot CTA buttons widget in a Bean block. The module allows configuration of a CTA ID and Account ID while adding a bean block for a CTA button, but doesn't sufficiently sanitise these parameters, allowing a potential cross-site scripting attack. This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "administer beans" or "Hubspot Calls-to-action: Add Bean". -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All versions of Hubspot CTA module. Drupal core is not affected. If you do not use the contributed Hubspot CTA [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ If you use the Hubspot CTA module you should uninstall it. Also see the Hubspot CTA [5] project page. -------- REPORTED BY --------------------------------------------------------- * Naveen Valecha [6] -------- FIXED BY ------------------------------------------------------------ Not applicable. -------- COORDINATED BY ------------------------------------------------------ * Mori Sugimoto [7] of the Drupal Security Team * Dan Smith [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [13] [1] https://www.drupal.org/project/hubspot_cta [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/hubspot_cta [5] https://www.drupal.org/project/hubspot_cta [6] https://www.drupal.org/user/2665733 [7] https://www.drupal.org/user/82971 [8] https://www.drupal.org/user/241220 [9] https://www.drupal.org/contact [10] https://www.drupal.org/security-team [11] https://www.drupal.org/writing-secure-code [12] https://www.drupal.org/security/secure-configuration [13] https://twitter.com/drupalsecurity

1 0

Google Analytics Counter - Moderately Critical - CSRF - SA-CONTRIB-2016-011
by security-news＠drupal.org 02 Mar '16

02 Mar '16

View online: https://www.drupal.org/node/2679515 * Advisory ID: DRUPAL-SA-CONTRIB-2016-011 * Project: Google Analytics Counter [1] (third-party module) * Version: 7.x * Date: 2016-March-02 * Security risk: 12/25 ( Moderately Critical) AC:None/A:Admin/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Request Forgery -------- DESCRIPTION --------------------------------------------------------- The Google Analytics Counter module provides total pageview counts for each page on a website. In that it is similar to the core Statistics module counter, but it is much lighter and ultimately faster because it draws on data from Google Analytics. This is why it is also able to effortlessly count views of cached pages. The module doesn't sufficiently protect against cross-site request forgery when it comes to the configuration reset link on its dashboard page. If the reset link were to be sent to a user with the right permissions, it could lead to an unwanted reset of the module's settings (including its OAuth credentials). -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Google Analytics Counter 7.x-3.x versions prior to 7.x-3.2. Drupal core is not affected. If you do not use the contributed Google Analytics Counter [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Google Analytics Counter module for Drupal 7.x, upgrade to Google Analytics Counter 7.x-3.2 [5] Also see the Google Analytics Counter [6] project page. -------- REPORTED BY --------------------------------------------------------- * James Williams [7] -------- FIXED BY ------------------------------------------------------------ * Tomas Fulopp [8] (the module maintainer) -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/google_analytics_counter [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/google_analytics_counter [5] https://www.drupal.org/node/2679004 [6] https://www.drupal.org/project/google_analytics_counter [7] https://www.drupal.org/user/15129 [8] https://www.drupal.org/user/45996 [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

Prepopulate - Moderately Critical - Multiple Vulnerabilities - SA-CONTRIB-2016-009
by security-news＠drupal.org 02 Mar '16

02 Mar '16

View online: https://www.drupal.org/node/2679503 * Advisory ID: DRUPAL-SA-CONTRIB-2016-009 * Project: Prepopulate [1] (third-party module) * Version: 7.x * Date: 2016-March-02 * Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Prepopulate module allows form fields to be pre-populated in the request. The Prepopulate module does not adequately prevent a user from overwriting arbitrary parts of $_REQUEST. It also does not prevent pre-populating certain fields that are not displayed or manipulating markup fields to alter elements of the user interface. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Prepopulate 7.x-2.x versions prior to 7.x-2.1. Drupal core is not affected. If you do not use the contributed Prepopulate [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Prepopulate module for Drupal 7.x, upgrade to Prepopulate 7.x-2.1 [5] Also see the Prepopulate [6] project page. -------- REPORTED BY --------------------------------------------------------- * Neil Drumm [7] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Joshua Brauer [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/prepopulate [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/prepopulate [5] https://www.drupal.org/node/2679215 [6] https://www.drupal.org/project/prepopulate [7] https://www.drupal.org/user/3064 [8] https://www.drupal.org/user/12363 [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity

1 0

USASearch - Access Bypass - SA-CONTRIB-2016-010
by security-news＠drupal.org 02 Mar '16

02 Mar '16

View online: https://www.drupal.org/node/2679509 * Advisory ID: DRUPAL-SA-CONTRIB-2016-010 * Project: DigitalGov Search (machine name: USASearch) [1] (third-party module) * Version: 7.x * Date: 2016-March-02 * Security risk: 11/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:None/E:Proof/TD:All [2] * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- This module indexes public content using the USASearch a program of the General Services Administration’s Office of Citizen Services and Information Technology (OCSIT) which offers free search services to any federal, state, local, tribal, or territorial government agency that can be used to search one or many sites. Read more at http://search.usa.gov/program [3] . The module may index unpublished content making content accessible through search. This vulnerability is mitigated by the fact that it only affects unpublished content that has been saved and content that was published and subsequently unpublished. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * MODULE 7.x-5.x versions prior to 7.x-5.1. Drupal core is not affected. If you do not use the contributed DigitalGov Search (machine name: USASearch) [5] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the usasearch module for Drupal 7.x, upgrade to usasearch 7.x-5.1 [6] Also see the DigitalGov Search (machine name: USASearch) [7] project page. -------- REPORTED BY --------------------------------------------------------- * Barrett Smith [8] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Daniel Schiavone [9] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Real Name [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [15] [1] https://www.drupal.org/project/USASearch [2] https://www.drupal.org/security-team/risk-levels [3] http://search.usa.gov/program [4] http://cve.mitre.org/ [5] https://www.drupal.org/project/USASearch [6] https://www.drupal.org/node/2679169 [7] https://www.drupal.org/project/USASearch [8] https://security.drupal.org/user/9114 [9] https://security.drupal.org/user/133506 [10] https://www.drupal.org/user/XXXUID [11] https://www.drupal.org/contact [12] https://www.drupal.org/security-team [13] https://www.drupal.org/writing-secure-code [14] https://www.drupal.org/security/secure-configuration [15] https://twitter.com/drupalsecurity

1 0