Security-news

security-news@drupal.org

1 participants
1782 discussions

SA-CONTRIB-2012-130 - Jstool - Multiple Vulnerabilities
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762220 * Advisory ID: DRUPAL-SA-CONTRIB-2012-130 * Project: Javascript Tool [1] (third-party module) * Version: 7.x * Date: 2012-August-29 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- Javascript Tool enables administrators to edit any javascript file online from an admin panel. The module does not protect its menu paths, which contain sensitive information about all javascript files on the site and their contents. The module does not validate filenames which can lead to potential read/write access to arbitrary files on the server. Write access to files is mitigated by the fact that an attacker must have the permission to use the full_html text format. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Javascript Tool 7.x-1.x versions prior to 7.x-1.7. Drupal core is not affected. If you do not use the contributed Javascript Tool [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Javascript Tool module for Drupal 7.x, upgrade to Javascript Tool 7.x-1.7 [4] Also see the Javascript Tool [5] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * drupwash [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/jstool [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/jstool [4] http://drupal.org/node/1759538 [5] http://drupal.org/project/jstool [6] http://drupal.org/user/262198 [7] http://drupal.org/user/1652472 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-129 - Activism - Access Bypass
by security-news＠drupal.org 29 Aug '12

29 Aug '12

View online: http://drupal.org/node/1762160 * Advisory ID: DRUPAL-SA-CONTRIB-2012-129 * Project: Activism [1] (third-party module) * Version: 6.x * Date: 2012-08-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access Bypass -------- DESCRIPTION --------------------------------------------------------- The Activism module is an attempt to standardize the way online advocacy tools are built in Drupal 6. It ships with and creates a "Campaign" content type which is always viewable, even when an administrator unpublishes it or otherwise restricts viewing access. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Activism 6.x-2.0. Drupal core is not affected. If you do not use the contributed Activism [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Activism module for Drupal 6.x, upgrade to Activism 6.x-2.1 [4] Also see the Activism [5] project page. -------- REPORTED BY --------------------------------------------------------- * Sheldon Rampton [6] -------- FIXED BY ------------------------------------------------------------ * Sheldon Rampton [7], the issue reporter * Stella Power [8] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Stella Power [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/activism [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/activism [4] http://drupal.org/node/1762152 [5] http://drupal.org/project/activism [6] http://drupal.org/user/13085 [7] http://drupal.org/user/13085 [8] http://drupal.org/user/66894 [9] http://drupal.org/user/66894 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-128 - Elegant Theme - Cross Site Scripting (XSS)
by security-news＠drupal.org 15 Aug '12

15 Aug '12

View online: http://drupal.org/node/1733056 * Advisory ID: DRUPAL-SA-CONTRIB-2012-128 * Project: Elegant Theme [1] (third-party module) * Version: 7.x * Date: 2012-August-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- Elegant Theme is a light weight Drupal 7 theme with a modern look and feel. The theme doesn't properly sanitize user-entered content in the 3 slide gallery on the homepage leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker would have to have the 'administer themes' permission. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Elegant Theme 7.x-1.x versions prior to 7.x-1.0. Drupal core is not affected. If you do not use the contributed Elegant Theme [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Elegant Theme for Drupal 7.x, upgrade to Elegant Theme 7.x-1.1 [4] Also see the Elegant Theme [5] project page. -------- REPORTED BY --------------------------------------------------------- * Greg Knaddison [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * saran.quardz [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/elegant_theme [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/elegant_theme [4] http://drupal.org/node/1722880 [5] http://drupal.org/project/elegant_theme [6] http://drupal.org/user/36762 [7] http://drupal.org/user/1031208 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-127 - Custom Publishing Options - Cross Site Scripting (XSS) Vulnerability
by security-news＠drupal.org 15 Aug '12

15 Aug '12

View online: http://drupal.org/node/1732980 * Advisory ID: DRUPAL-SA-CONTRIB-2012-127 * Project: Custom Publishing Options [1] (third-party module) * Version: 6.x * Date: 2012-August-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Custom Publishing Options module allows you to create custom publishing options for nodes. It allows you to add to the default options of Publish, Promote to Front Page, and Sticky. It also ingrates with views to allow you add as a field, sort and filter by, your custom options. The module doesn't sufficiently sanitize status labels containing HTML. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer nodes". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Custom Publishing Options 6.x-1.x versions prior to 6.x-1.4. Drupal core is not affected. If you do not use the contributed Custom Publishing Options [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Custom Publishing Options module for Drupal 6.x, upgrade to Custom Publishing Options 6.x-1.5 [4] Also see the Custom Publishing Options [5] project page. -------- REPORTED BY --------------------------------------------------------- * Publicly disclosed. -------- FIXED BY ------------------------------------------------------------ * Kevin Quillen [6] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [7] of the Drupal Security Team * Ivo Van Geertruyen [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/custom_pub [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/custom_pub [4] http://drupal.org/node/1730766 [5] http://drupal.org/project/custom_pub [6] http://drupal.org/user/317279 [7] http://drupal.org/user/36762 [8] http://drupal.org/user/383424 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-126 - Hotblocks - Cross Site Scripting (XSS) and Denial of Service (DoS)
by security-news＠drupal.org 15 Aug '12

15 Aug '12

View online: http://drupal.org/node/1732946 * Advisory ID: DRUPAL-SA-CONTRIB-2012-126 * Project: HotBlocks [1] (third-party module) * Version: 6.x * Date: 2012-August-15 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting, Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- The Hotblocks module provides an enhanced GUI for administering blocks and block content that is intended to be simpler and more controllable for less privileged users than the default block administration tools. .... Cross Site Scripting (XSS) The module doesn't sufficiently sanitize the user input for "block names" on the module's settings page. A user could inject arbitrary scripts into pages affecting site users. This XSS vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer hotblocks". .... Denial of Service (DoS) The hotblocks user interface also allows a user to configure one hotblock to reference itself as content, thereby creating an infinite loop and potentially rendering a site unusable. The DoS vulnerability is mitigated by the fact that a user must have a role with the permission "administer hotblocks" or a user with said permission must have configured the site such that it allows hotblocks to be embedded in other hotblocks. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Hotblocks 6.x-1.x versions prior to 6.x-1.8. Drupal core is not affected. If you do not use the contributed HotBlocks [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Hotblocks module for Drupal 6.x, upgrade to Hotblocks 6.x-1.8 [4] Also see the HotBlocks [5] project page. -------- REPORTED BY --------------------------------------------------------- * Justin C. Klein Keane [6] -------- FIXED BY ------------------------------------------------------------ * Justin Dodge [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/hotblocks [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/hotblocks [4] http://drupal.org/node/1732828 [5] http://drupal.org/project/hotblocks [6] http://drupal.org/user/302225 [7] http://drupal.org/user/238638 [8] http://drupal.org/user/36762 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-125 - Chaos tool suite (ctools) - Local File Inclusion and Cross Site Scripting (XSS)
by security-news＠drupal.org 08 Aug '12

08 Aug '12

View online: http://drupal.org/node/1719548 * Advisory ID: DRUPAL-SA-CONTRIB-2012-125 * Project: Chaos tool suite (ctools) [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-8 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Local File Inclusion and Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Chaos tool suite is primarily a set of APIs and tools to improve the developer experience. The module doesn't sufficiently validate css import statements to confirm they only include css content appropriate to show to end users. This could allow a malicious user to add sensitive content from the site (e.g. settings.php) exposing that sensitive content to visitors of the page. It could also be used to execute a Cross Site Scripting attack. This vulnerability is party mitigated by the fact that an attacker must have a role with a permission to place custom CSS into a field. However, any user who can create or edit a node may have sufficient permissions to place the CSS depending on the site configuration. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Chaos tool suite (ctools) 6.x-1.x versions prior to 6.x-1.9. * Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Ctools module for Drupal 6.x, upgrade to Ctools 6.x-1.9 [4] * If you use the Ctools module for Drupal 7.x, upgrade to Ctools 7.x-1.1 [5] Also see the Chaos tool suite (ctools) [6] project page. -------- REPORTED BY --------------------------------------------------------- * Casey [7] -------- FIXED BY ------------------------------------------------------------ * Tim Plunkett [8] a module maintainer * John Morahan [9] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * John Morahan [10] of the Drupal Security Team * Heine Deelstra [11] of the Drupal Security Team * Greg Knaddison [12] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [13]. Learn more about the Drupal Security team and their policies [14], writing secure code for Drupal [15], and securing your site [16]. [1] http://drupal.org/project/ctools [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/ctools [4] http://drupal.org/node/1719786 [5] http://drupal.org/node/1719782 [6] http://drupal.org/project/ctools [7] http://drupal.org/user/32403 [8] http://drupal.org/user/241634 [9] http://drupal.org/user/58170 [10] http://drupal.org/user/58170 [11] http://drupal.org/user/17943 [12] http://drupal.org/user/36762 [13] http://drupal.org/contact [14] http://drupal.org/security-team [15] http://drupal.org/writing-secure-code [16] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-124 - Mime Mail - Access Bypass
by security-news＠drupal.org 08 Aug '12

08 Aug '12

View online: http://drupal.org/node/1719482 * Advisory ID: DRUPAL-SA-CONTRIB-2012-124 * Project: Mime Mail [1] (third-party module) * Version: 6.x * Date: 2012-August-8 * Security risk: Critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The MIME Mail module allows users to send MIME-encoded e-mail messages with embedded images and attachments. The module doesn't perform proper access checks, allowing a user to send arbitrary (e.g. the settings.php) files as attachments. In the latest version users must have the "send arbitrary files" permission to access files located outside the public files directory. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Mime Mail 6.x-1.x versions prior to 6.x-1.1. Drupal core is not affected. If you do not use the contributed Mime Mail [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Mime Mail module for Drupal 6.x, upgrade to Mime Mail 6.x-1.1 [4] Also see the Mime Mail [5] project page. -------- REPORTED BY --------------------------------------------------------- * joglin [6] -------- FIXED BY ------------------------------------------------------------ * Jeremiah Davis [7] the module maintainer * Gabor Seljan [8] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Dave Reid [10] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/mimemail [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/mimemail [4] http://drupal.org/node/1719446 [5] http://drupal.org/project/mimemail [6] http://drupal.org/user/86464 [7] http://drupal.org/user/228997 [8] http://drupal.org/user/232117 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/53892 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-123 - Shibboleth authentication - Access Bypass
by security-news＠drupal.org 08 Aug '12

08 Aug '12

View online: http://drupal.org/node/1719462 * Advisory ID: DRUPAL-SA-CONTRIB-2012-123 * Project: Shibboleth authentication [1] (third-party module) * Version: 6.x * Date: 2012-August-8 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- The Shibboleth authentication module provides user authentication with Shibboleth single sign-on systems (both v1.3 and v2.0) as well as some authorization features (automatic role assignment based on Shibboleth attributes). The module doesn't sufficiently confirm the user's active status in Drupal when authenticating a user whose account could be blocked. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Shibboleth authentication all versions prior to 6.x-4.0-rc3. Drupal core is not affected. If you do not use the contributed Shibboleth authentication [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Shibboleth authentication module for Drupal 6.x, upgrade to Shibboleth authentication 6.x-4.0 [4] Shibboleth authentication releases for Drupal 7.x are not affected. Also see the Shibboleth authentication [5] project page. -------- REPORTED BY --------------------------------------------------------- * Brian Swaney [6] -------- FIXED BY ------------------------------------------------------------ Fixed by newer releases. -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [7]. Learn more about the Drupal Security team and their policies [8], writing secure code for Drupal [9], and securing your site [10]. [1] http://drupal.org/project/shib_auth [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/shib_auth [4] http://drupal.org/node/1332976 [5] http://drupal.org/project/shib_auth [6] http://drupal.org/user/608968 [7] http://drupal.org/contact [8] http://drupal.org/security-team [9] http://drupal.org/writing-secure-code [10] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-122 - Better Revisions - Cross Site Scripting (XSS)
by security-news＠drupal.org 08 Aug '12

08 Aug '12

View online: http://drupal.org/node/1719402 * Advisory ID: DRUPAL-SA-CONTRIB-2012-122 * Project: Better Revisions [1] (third-party module) * Version: 7.x * Date: 2012-August-08 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Better Revisions module changes the built-in revision log text area to a customizable select list with an optional description field. It also allows an administrator to make the list and/or description field required. The module doesn't sufficiently validate strings entered in the administration interface. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer better revisions". CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Better Revisions 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Better Revisions [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Better Revisions module for Drupal 7.x, upgrade to Better Revisions 7.x-1.1 [4] Also see the Better Revisions [5] project page. -------- REPORTED BY --------------------------------------------------------- * Klaus Purer [6] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ * Roy Baxter [7] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Klaus Purer [8] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [9]. Learn more about the Drupal Security team and their policies [10], writing secure code for Drupal [11], and securing your site [12]. [1] http://drupal.org/project/better_revisions [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/better_revisions [4] http://drupal.org/node/1713378 [5] http://drupal.org/project/better_revisions [6] http://drupal.org/user/262198 [7] http://drupal.org/user/360394 [8] http://drupal.org/user/262198 [9] http://drupal.org/contact [10] http://drupal.org/security-team [11] http://drupal.org/writing-secure-code [12] http://drupal.org/security/secure-configuration

1 0

SA-CONTRIB-2012-121 - Shorten URLs - Cross Site Scripting (XSS)
by security-news＠drupal.org 08 Aug '12

08 Aug '12

View online: http://drupal.org/node/1719392 * Advisory ID: DRUPAL-SA-CONTRIB-2012-121 * Project: Shorten URLs [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-8 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Shorten URLs module provides an API to shorten URLs via many services like bit.ly and TinyURL, as well as a block and a page that provide an interface for easily shortening URLs. .... Cross Site Scripting via report The module doesn't sufficiently sanitize user input when displaying shortened URLs. This vulnerability is mitigated by several factors: * The Record Shortened URLs submodule must be installed * The Views module must /not/ be installed * An attacker must either have the "use Shorten URLs page" permission or access to the Shorten URLs block CVE: Requested .... Cross Site Scripting via Custom Services List There is an additional XSS vulnerability where the module doesn't sufficiently sanitize user input when displaying custom URL shortening services. This vulnerability is mitigated by the fact that the "Shorten URLs Custom Services" submodule must be enabled and the attacker must have the "administer Shorten URLs custom services" permission, which should not be given to non-administrators. CVE: Requested -------- VERSIONS AFFECTED --------------------------------------------------- * Shorten URLs 6.x-1.x versions prior to 6.x-1.13. * Shorten URLs 7.x-1.x versions prior to 7.x-1.2. Drupal core is not affected. If you do not use the contributed Shorten URLs [3] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Shorten URLs module for Drupal 6.x, upgrade to Shorten URLs 6.x-1.13 [4] * If you use the Shorten URLs module for Drupal 7.x, upgrade to Shorten URLs 7.x-1.2 [5] Also see the Shorten URLs [6] project page. -------- REPORTED BY --------------------------------------------------------- * Zach Alexander [7] * Justin Klein Keane [8] -------- FIXED BY ------------------------------------------------------------ * Isaac Sukin [9], the module maintainer * Zach Alexander [10] * Justin Klein Keane [11] -------- COORDINATED BY ------------------------------------------------------ * Stella Power [12] of the Drupal Security Team * Greg Knaddison [13] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [14]. Learn more about the Drupal Security team and their policies [15], writing secure code for Drupal [16], and securing your site [17]. [1] http://drupal.org/project/shorten [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/shorten [4] https://drupal.org/node/1719306 [5] https://drupal.org/node/1719310 [6] http://drupal.org/project/shorten [7] https://drupal.org/user/1972656 [8] https://drupal.org/user/302225 [9] https://drupal.org/user/201425 [10] https://drupal.org/user/1972656 [11] https://drupal.org/user/302225 [12] http://drupal.org/user/66894 [13] http://drupal.org/user/36762 [14] http://drupal.org/contact [15] http://drupal.org/security-team [16] http://drupal.org/writing-secure-code [17] http://drupal.org/security/secure-configuration

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Security-news