SA
Security Announcements for November 2008
Thu, 11/27/2008 - 03:32 — Dave KeaysThere is an SQL injection and a CSS (cross-site-scripting) prior to 5.x-1.13 and 6.x-1.0 that could give a user control over an SQL database and user cookies.
SA-2008-070 - COMMENT MAIL
There is a CSRF (cross-site-request-forgery) in Comment Mail for Drupal 5.x prior to 5.x-1.1 that allows end-users to administer permissions and ban IP addresses, deny a comment, or approve one.
Security Announcements for October 2008
Thu, 10/09/2008 - 19:28 — Dave KeaysOctober 2008 has not been a kind month for Drupal. In addition to a 3rd party module needing to be updated, there have been modules banned because of multiple vulnerabilities, many problems with people updating modules wrong in Drupal 6, and several problems with the core that requires the Drupal core to be updated itself.
Drupal SA's for September 2008
Wed, 09/24/2008 - 06:02 — Dave KeaysThere have been 5 Drupal security announcements for September 2008 about 3rd party modules with Cross-Site-Scripting vulnerabilities in them.
