#Security improvements

Open on Drupal.org →

It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

⚡️ Live updates comments, jobs, and issues, tagged with #Security improvements will update issues and activities on this page.

Issues

🐛
Do not allow existing or reserved paths as aliases
Needs work
Drupal core 11.0 — path.module
Created over 18 years ago
🇺🇸United States JHeffner
12 days ago
✨
JWT Invalidation on user logout
Needs work
JSON Web Token Authentication (JWT) 1.0
Created almost 4 years ago
🇸🇰Slovakia phrabovcin
12 days ago
🐛
Time-zone-abbreviation to TZID route is not access controlled
Active
Drupal core 11.0 — system.module
Created about 6 years ago
🇦🇺Australia dpi
13 days ago
✨
Missing support to store secret_key (and site_key) outside of configuration (DB)
Active
hCaptcha 1.0
Created 5 months ago
brevilo
13 days ago
📌
Update to ckeditor 45.2.2 (once available)
Active
Drupal core 11.0 — ckeditor5.module
Created 14 days ago
🇬🇧United Kingdom catch
14 days ago
📌
Add protocol filtering to the core Attribute component
Needs review
Drupal core 11.0 — base system
Created about 10 years ago
🇬🇧United Kingdom catch
15 days ago
📌
Review/update $adminTags variable for new html elements to be whitelisted
Needs work
Drupal core 10.1 — other
Created about 9 years ago
🇺🇸United States nmillin
18 days ago
✨
Prevent homographic usernames
Needs work
Drupal core 11.0 — user system
Created almost 19 years ago
🇷🇺Russia dyp
20 days ago
🐛
SSRF vis role name on content translation screen
Active
Drupal core 11.0 — config_translation.module
Created over 1 year ago
🇦🇺Australia larowlan
20 days ago
📌
Allow form tokens to be used on anonymous forms in some cases
Needs work
Drupal core 11.0 — forms system
Created almost 13 years ago
🇺🇸United States David_Rothstein
20 days ago
📌
Disallow dangerous filenames e.g. command injection characters
Active
Drupal core 11.0 — file system
Created 6 months ago
🇬🇧United Kingdom mcdruid
21 days ago
🐛
Harden webhook hash against timing attacks
Active
Mailchimp 3.0
Created 3 months ago
🇫🇷France prudloff
22 days ago
🐛
Access bypass in entity-reference selection handler if hook_entity_access is implemented
Active
Drupal core 11.0 — entity system
Created over 1 year ago
🇦🇺Australia larowlan
23 days ago
📌
Change form element access bypass default to FALSE on programmatic submissions.
Postponed: needs info
Drupal core 11.0 — forms system
Created over 11 years ago
🇧🇪Belgium mr.baileys
24 days ago
🐛
Role Assignment issue when a Role is deleted
Closed: outdated
Commerce License 1.0
Created over 10 years ago
pere orga
30 days ago
🐛
Need to safeguard allowed roles
Closed: outdated
Commerce License 1.0
Created over 9 years ago
🇬🇧United Kingdom adamps
30 days ago
📌
Avoid abuse of config sync import tarballs
Active
Drupal core 11.0 — configuration system
Created 4 months ago
🇬🇧United Kingdom mcdruid
about 1 month ago
✨
Prevent XSS in data attributes
Active
Drupal core 11.0 — render system
Created 4 months ago
🇫🇷France prudloff
about 1 month ago
🐛
Use email verification when changing user email addresses
Needs work
Drupal core 10.1 — user.module
Created almost 19 years ago
🇬🇧United Kingdom AjK
about 1 month ago
✨
Require password for certain admin actions
Active
Drupal core 11.1 — user system
Created 8 months ago
🇺🇸United States drumm
about 1 month ago
📌
Sanitize OR add Content-Security-Policy for SVGs
Active
Drupal core 11.0 — image.module
Created over 8 years ago
🇬🇧United Kingdom alexpott
about 1 month ago
🐛
[regression] User roles field access is inconsistent, users with 'administer users' permission can gain full access
Needs work
Drupal core 11.0 — user.module
Created over 8 years ago
🇺🇸United States kevin.dutra
about 1 month ago
✨
Allow email verification in user settings when a user tries to change their email address
Closed: outdated
Varbase Core 9.0
Created over 4 years ago
🇯🇴Jordan mohammad-fayoumi
about 2 months ago
🐛
[D8] t($user_input) needs hardening
Postponed: needs info
Drupal core 10.1 — bootstrap system
Created almost 9 years ago
🇺🇸United States micnap
about 2 months ago
💬
Apache Solr Server Unavailable After Adding Security.json
Active
Search API Solr 4.3
Created over 1 year ago
🇧🇧Barbados ShockWave08
about 2 months ago
📌
[Meta] Audit the database layer for security and ensure it is unit tested
Postponed: needs info
Drupal core 11.0 — database system
Created almost 11 years ago
🇩🇪Germany Fabianx
about 2 months ago
✨
Allow overriding of auth provider settings.
Needs work
Salesforce Suite 5.0
Created over 3 years ago
🇺🇸United States oknate
about 2 months ago
📌
Remove \GuzzleHttp\Cookie\FileCookieJar from the autoloader for security
Active
Drupal core 11.0 — composer
Created 4 months ago
🇬🇧United Kingdom mcdruid
about 2 months ago
🐛
Harden key comparison against timing attacks
Active
Disable Login Page 1.1
Created 3 months ago
🇫🇷France prudloff
about 2 months ago
📌
Clean up unserialize() in the migration modules
Active
Drupal core 11.0 — migration system
Created 4 months ago
🇺🇸United States benjifisher
2 months ago
🐛
Reset password form can still be accessed
Active
Remove'Reset your password' 1.0
Created 2 months ago
🇫🇷France prudloff
2 months ago
📌
Port Cross-site Scripting - Autocomplete system from SA-CORE-2015-003 to Drupal 8
Needs work
Drupal core 9.5 — javascript
Created about 10 years ago
🇨🇦Canada webchick
2 months ago
📌
Bad usage of the PHP hash_equals function
Active
Drupal core 10.3 — other
Created 10 months ago
🇨🇭Switzerland epieddy
2 months ago
🐛
Don't use |raw in Twig templates
Active
Footnotes 4.0
Created 3 months ago
🇫🇷France prudloff
2 months ago
📌
Clean up unserialize() in the config system
Active
Drupal core 11.0 — configuration system
Created 4 months ago
🇺🇸United States benjifisher
2 months ago
✨
Protect initial login link against abuse and username leaking
Needs work
Drupal core 11.0 — user system
Created almost 6 years ago
🇺🇸United States greggles
2 months ago
📌
[meta] Audit the event subscriber system for security
Postponed: needs info
Drupal core 11.0 — base system
Created almost 11 years ago
🇩🇪Germany Fabianx
3 months ago
🐛
Remove use of exec('rm -Rf') as security concern preventing use of open_basedir.
Needs work
Drupal core 11.0 — phpunit
Created over 8 years ago
🇺🇸United States webservant316
3 months ago
🐛
OTP code is not truly random
Active
Email TFA 2.0
Created 3 months ago
🇫🇷France prudloff
3 months ago
🐛
Long-standing architecture flaw: Directly printing a nested element skips important processing (including #access) of parent elements
Active
Drupal core 11.0 — theme system
Created over 10 years ago
🇺🇸United States effulgentsia
3 months ago
📌
Security improvements
Active
Model Context Protocol 1.0
Created 4 months ago
🇬🇪Georgia gagosha
3 months ago
🐛
Unhandled exception when looking up a configuration objects by name which contains non-ASCII characters
Active
Drupal core 11.0 — configuration system
Created 12 months ago
🇦🇺Australia jannakha
3 months ago
📌
Add test for SA-CORE-2024-002
Active
Drupal core 11.0 — ckeditor5.module
Created 4 months ago
🇫🇷France prudloff
3 months ago
🐛
Use getDisplayName() for user names consistently
Needs work
Drupal core 10.1 — user.module
Created almost 10 years ago
mbkaba22
3 months ago
✨
Provide an API to check file access
Active
Drupal core 11.0 — file system
Created 3 months ago
🇬🇧United Kingdom adamps
3 months ago
📌
Automatically assign user cache contexts/tags when using current_user service
Postponed
Drupal core 11.0 — cache system
Created about 10 years ago
🇧🇪Belgium wim leers
3 months ago
🐛
Do not prepopulate the user register form with the email address and username of the last person who registered using the same web browser
Needs work
Drupal core 9.5 — user system
Created over 10 years ago
🇮🇳India jeet09
3 months ago
✨
Make module developers think about restricted permissions
Active
Drupal core 11.0 — other
Created 3 months ago
🇫🇷France prudloff
3 months ago
✨
Notify the developer if #access is anything other than an allowed boolean or access result object.
Active
Drupal core 11.0 — forms system
Created 4 months ago
🇫🇷France prudloff
3 months ago
📌
Increase the length of the itok token for image derivatives
Active
Drupal core 11.0 — image.module
Created over 2 years ago
🇦🇺Australia larowlan
3 months ago
📌
Assert on unrecognized field access check operation
Needs work
Drupal core 11.0 — field system
Created almost 9 years ago
🇺🇸United States hampercm
3 months ago
📌
Harden CKEditor 5 against self-XSS through source editing
Active
Drupal core 11.0 — ckeditor5.module
Created almost 3 years ago
🇫🇮Finland lauriii
3 months ago
✨
Make it easier to protect forms against brute force
Active
Drupal core 11.0 — forms system
Created 3 months ago
🇫🇷France prudloff
3 months ago
🐛
Remove outdated code that sets password on $account during user registration
Needs work
Drupal core 11.0 — user system
Created over 9 years ago
🇺🇸United States pwolanin
3 months ago
📌
Improve input sanitisation
Active
JSON:API Menu Items 1.2
Created 3 months ago
🇬🇧United Kingdom alexpott
3 months ago
📌
Disable the user.login.http route by default
Active
Drupal core 11.0 — user.module
Created 3 months ago
🇫🇷France prudloff
3 months ago
📌
Prevent users from uploading .htaccess files
Active
Drupal core 11.0 — file system
Created 3 months ago
🇺🇸United States akalata
3 months ago
📌
Always rename dot files like Drupal 7
Needs work
Drupal core 11.0 — file system
Created about 3 years ago
🇬🇧United Kingdom alexpott
3 months ago
🐛
Harden TFA code comparison against timing attacks
Active
Email TFA 2.0
Created 3 months ago
🇫🇷France prudloff
3 months ago
🐛
#file_value_callbacks bypass the TrustedCallbackInterface protections
Active
Drupal core 11.0 — file system
Created over 4 years ago
🇦🇺Australia larowlan
3 months ago
🌱
Set up a formal process for ensuring JavaScript dependencies remain up to date
Needs review
Drupal core 10.0 — javascript
Created over 3 years ago
🇫🇮Finland lauriii
3 months ago
🐛
Harden the security where hash values are compared
Fixed
Drupal core 8.0 — user system
Created over 10 years ago
🇺🇸United States thekevinday
3 months ago
📌
Limit all DB drivers to executing single statements by checking for delimiter
Fixed
Drupal core 8.0 — database system
Created over 10 years ago
🇺🇸United States pwolanin
3 months ago
🐛
ImageStyleDownloadController routes do not limit schemes served
Needs review
Drupal core 9.5 — image system
Created about 3 years ago
🇺🇸United States cmlara
3 months ago
🐛
User logout is vulnerable to CSRF
Needs work
Drupal core 11.0 — user system
Created over 18 years ago
🇬🇧United Kingdom xano
3 months ago
🐛
Security improvement: Validate content-type of uploaded files
Postponed
Drupal core 11.0 — file system
Created almost 9 years ago
🇺🇸United States micnap
3 months ago
✨
Add a SECURITY.md explaining how to report security vulnerabilities properly
Active
Drupal core 11.0 — documentation
Created almost 6 years ago
🇱🇰Sri Lanka Ayesh
3 months ago
✨
Suggestion for: (3469565) Security Team Members
Active
Documentation
Created 8 months ago
🇺🇸United States davidwise
3 months ago
✨
A read only mode so that the security team could potentially recommend a course of action for sites that cannot be updated at the very moment a security fix is released
Needs review
Drupal core 11.0 — base system
Created over 7 years ago
🇬🇧United Kingdom alexpott
3 months ago
📌
Add a default CSP and clickjacking defence and minimal API for CSP to core
Active
Drupal core 10.1 — base system
Created about 10 years ago
🇺🇸United States pwolanin
3 months ago
🐛
Session fixation for anonymous users - discard invalid session identifiers instead of accepting them
Needs work
Drupal core 11.0 — base system
Created almost 10 years ago
🇺🇸United States kscheirer
4 months ago
📌
Don't automatically set a cookie domain
Needs review
Drupal core 10.1 — base system
Created over 7 years ago
🇬🇧United Kingdom alexpott
4 months ago
🐛
UrlHelper::isValid() should handle hyphens, '-', correctly
Needs work
Drupal core 11.0 — other
Created over 10 years ago
pere orga
4 months ago
📌
Check for common words in password strength indicators
Needs work
Drupal core 11.0 — user.module
Created over 13 years ago
🇺🇸United States webkenny
4 months ago
🌱
[policy] Consider username enumerations as security bugs that require Security Advisories
Active
Drupal core 10.0 — documentation
Created almost 4 years ago
🇭🇺Hungary mxr576
4 months ago
🐛
Browser URL can be accessed by anonymous users
Active
Paragraphs Browser 1.0
Created 4 months ago
🇦🇺Australia jannakha
4 months ago
✨
Log changes to sensitive field but do not log values
Active
Configuration log 4.0
Created 4 months ago
🇦🇺Australia jannakha
4 months ago
📌
Stop calling Html::escape() for checkbox options
Active
Drupal core 10.1 — other
Created over 2 years ago
🇫🇷France andypost
4 months ago
✨
Blocking TRACE method by configuration files
Needs work
Drupal core 10.1 — system.module
Created almost 7 years ago
🇭🇺Hungary tatarbj
4 months ago
🐛
'json_decode()' is used in callbacks without validation of arguments leaving the application vulnerable to XSS attacks.
Needs review
Context 3.10
Created almost 5 years ago
🇮🇳India SachinT1996
4 months ago
🐛
file_unmanaged_move() in Drupal 8 makes unreadable files readable
Active
Drupal core 11.0 — file system
Created 9 months ago
🇦🇺Australia mingsong
4 months ago
🐛
HTML5 localStorage Security
Active
Drupal core 11.0 — toolbar.module
Created almost 9 years ago
🇺🇸United States micnap
4 months ago
✨
Harden Drupal against DOM clobbering attacks
Active
Drupal core 11.0 — other
Created 4 months ago
🇫🇷France prudloff
4 months ago
🐛
Allow Xss::filter() to restrict allowed attributes
Active
Drupal core 11.0 — render system
Created 4 months ago
🇫🇷France prudloff
4 months ago
📌
Set X-Content-Type-Options header in IIS web.config
Active
Drupal core 10.1 — base system
Created over 2 years ago
🇬🇧United Kingdom longwave
4 months ago
🐛
Url::access() doesn't allow cacheability metadata to be bubbled
Needs work
Drupal core 10.1 — routing system
Created over 9 years ago
🇧🇪Belgium wim leers
4 months ago
🐛
Layout Builder move block and add section routes vulnerable to CSRF
Needs review
Drupal core 11.0 — layout_builder.module
Created almost 2 years ago
🇦🇺Australia larowlan
4 months ago
🐛
Flood control on reset password form blocks IP address but not the account
Active
Drupal core 11.0 — user system
Created about 3 years ago
carolea
4 months ago
✨
Check that the CSP header is added to SVG files
Postponed
Drupal core 11.0 — other
Created 4 months ago
🇫🇷France prudloff
4 months ago
🐛
Add functionality to impersonate a user
Fixed
Drupal core 8.0 — user system
Created about 17 years ago
🇺🇸United States drewish
4 months ago
🐛
Harden the use of unserialize in InlineBlock via allowed classes
Active
Drupal core 11.0 — layout_builder.module
Created almost 2 years ago
🇦🇺Australia larowlan
4 months ago
✨
XSS attacks and security scan via testbot
Needs work
Drupal core 11.0 — base system
Created over 15 years ago
🇩🇪Germany sun
4 months ago
📌
No point in storing (default) entity in context for samples
Closed: outdated
FillPDF 1.0
Created over 6 years ago
Pancho
4 months ago
🐛
Chocolate chip does not expire other sessions when password is changed or user logs out
Closed: outdated
Bakery Single Sign-On System 2.0
Created about 10 years ago
🇺🇸United States pwolanin
4 months ago
🐛
Allow DisplayPluginInterface::access() to return an AccessResultInterface object with cacheability metadata
Needs work
Drupal core 11.0 — views.module
Created about 10 years ago
🇩🇪Germany dawehner
4 months ago
📌
Make all persisted form builds immutable
Postponed: needs info
Drupal core 11.0 — forms system
Created over 10 years ago
🇺🇸United States effulgentsia
4 months ago
🐛
Remove srcdoc attributes in Xss::filter()
Active
Drupal core 11.0 — other
Created 6 months ago
🇫🇷France prudloff
4 months ago
📌
preg_match /D modifier
Postponed: needs info
Drupal core 9.5 — base system
Created almost 14 years ago
🇨🇦Canada webchick
5 months ago
📌
Make form tokens more unique when form IDs are shared
Postponed: needs info
Drupal core 9.5 — forms system
Created over 13 years ago
🇺🇸United States dave reid
5 months ago
✨
srcdoc attribute is allowed when allowing iframes
Active
htmLawed 4.1
Created 5 months ago
🇫🇷France prudloff
5 months ago

Activities

No activities found.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024

#Security improvements

Issues

Do not allow existing or reserved paths as aliasesNeeds workDrupal core 11.0 — path.module Created over 18 years ago

JWT Invalidation on user logoutNeeds workJSON Web Token Authentication (JWT) 1.0 Created almost 4 years ago

Time-zone-abbreviation to TZID route is not access controlledActiveDrupal core 11.0 — system.module Created about 6 years ago

Missing support to store secret_key (and site_key) outside of configuration (DB)ActivehCaptcha 1.0 Created 5 months ago

Update to ckeditor 45.2.2 (once available)ActiveDrupal core 11.0 — ckeditor5.module Created 14 days ago

Add protocol filtering to the core Attribute componentNeeds reviewDrupal core 11.0 — base system Created about 10 years ago

Review/update $adminTags variable for new html elements to be whitelistedNeeds workDrupal core 10.1 — other Created about 9 years ago

Prevent homographic usernamesNeeds workDrupal core 11.0 — user system Created almost 19 years ago

SSRF vis role name on content translation screenActiveDrupal core 11.0 — config_translation.module Created over 1 year ago

Allow form tokens to be used on anonymous forms in some casesNeeds workDrupal core 11.0 — forms system Created almost 13 years ago

Disallow dangerous filenames e.g. command injection charactersActiveDrupal core 11.0 — file system Created 6 months ago

Harden webhook hash against timing attacksActiveMailchimp 3.0 Created 3 months ago

Access bypass in entity-reference selection handler if hook_entity_access is implementedActiveDrupal core 11.0 — entity system Created over 1 year ago

Change form element access bypass default to FALSE on programmatic submissions.Postponed: needs infoDrupal core 11.0 — forms system Created over 11 years ago

Role Assignment issue when a Role is deletedClosed: outdatedCommerce License 1.0 Created over 10 years ago

Need to safeguard allowed rolesClosed: outdatedCommerce License 1.0 Created over 9 years ago

Avoid abuse of config sync import tarballsActiveDrupal core 11.0 — configuration system Created 4 months ago

Prevent XSS in data attributesActiveDrupal core 11.0 — render system Created 4 months ago

Use email verification when changing user email addressesNeeds workDrupal core 10.1 — user.module Created almost 19 years ago

Require password for certain admin actionsActiveDrupal core 11.1 — user system Created 8 months ago

Sanitize OR add Content-Security-Policy for SVGsActiveDrupal core 11.0 — image.module Created over 8 years ago

[regression] User roles field access is inconsistent, users with 'administer users' permission can gain full accessNeeds workDrupal core 11.0 — user.module Created over 8 years ago

Allow email verification in user settings when a user tries to change their email addressClosed: outdatedVarbase Core 9.0 Created over 4 years ago

[D8] t($user_input) needs hardeningPostponed: needs infoDrupal core 10.1 — bootstrap system Created almost 9 years ago

Apache Solr Server Unavailable After Adding Security.jsonActiveSearch API Solr 4.3 Created over 1 year ago

[Meta] Audit the database layer for security and ensure it is unit testedPostponed: needs infoDrupal core 11.0 — database system Created almost 11 years ago

Allow overriding of auth provider settings.Needs workSalesforce Suite 5.0 Created over 3 years ago

Remove \GuzzleHttp\Cookie\FileCookieJar from the autoloader for securityActiveDrupal core 11.0 — composer Created 4 months ago

Harden key comparison against timing attacksActiveDisable Login Page 1.1 Created 3 months ago

Clean up unserialize() in the migration modulesActiveDrupal core 11.0 — migration system Created 4 months ago

Reset password form can still be accessedActiveRemove'Reset your password' 1.0 Created 2 months ago

Port Cross-site Scripting - Autocomplete system from SA-CORE-2015-003 to Drupal 8Needs workDrupal core 9.5 — javascript Created about 10 years ago

Bad usage of the PHP hash_equals functionActiveDrupal core 10.3 — other Created 10 months ago

Don't use |raw in Twig templatesActiveFootnotes 4.0 Created 3 months ago

Clean up unserialize() in the config systemActiveDrupal core 11.0 — configuration system Created 4 months ago

Protect initial login link against abuse and username leakingNeeds workDrupal core 11.0 — user system Created almost 6 years ago

[meta] Audit the event subscriber system for securityPostponed: needs infoDrupal core 11.0 — base system Created almost 11 years ago

Remove use of exec('rm -Rf') as security concern preventing use of open_basedir.Needs workDrupal core 11.0 — phpunit Created over 8 years ago

OTP code is not truly randomActiveEmail TFA 2.0 Created 3 months ago

Long-standing architecture flaw: Directly printing a nested element skips important processing (including #access) of parent elementsActiveDrupal core 11.0 — theme system Created over 10 years ago

Security improvementsActiveModel Context Protocol 1.0 Created 4 months ago

Unhandled exception when looking up a configuration objects by name which contains non-ASCII charactersActiveDrupal core 11.0 — configuration system Created 12 months ago

Add test for SA-CORE-2024-002ActiveDrupal core 11.0 — ckeditor5.module Created 4 months ago

Use getDisplayName() for user names consistentlyNeeds workDrupal core 10.1 — user.module Created almost 10 years ago

Provide an API to check file accessActiveDrupal core 11.0 — file system Created 3 months ago

Automatically assign user cache contexts/tags when using current_user servicePostponedDrupal core 11.0 — cache system Created about 10 years ago

Do not prepopulate the user register form with the email address and username of the last person who registered using the same web browserNeeds workDrupal core 9.5 — user system Created over 10 years ago

Make module developers think about restricted permissionsActiveDrupal core 11.0 — other Created 3 months ago

Notify the developer if #access is anything other than an allowed boolean or access result object.ActiveDrupal core 11.0 — forms system Created 4 months ago

Increase the length of the itok token for image derivativesActiveDrupal core 11.0 — image.module Created over 2 years ago

Assert on unrecognized field access check operationNeeds workDrupal core 11.0 — field system Created almost 9 years ago

Harden CKEditor 5 against self-XSS through source editingActiveDrupal core 11.0 — ckeditor5.module Created almost 3 years ago

Make it easier to protect forms against brute forceActiveDrupal core 11.0 — forms system Created 3 months ago

Remove outdated code that sets password on $account during user registrationNeeds workDrupal core 11.0 — user system Created over 9 years ago

Improve input sanitisationActiveJSON:API Menu Items 1.2 Created 3 months ago

Disable the user.login.http route by defaultActiveDrupal core 11.0 — user.module Created 3 months ago

Prevent users from uploading .htaccess filesActiveDrupal core 11.0 — file system Created 3 months ago

Always rename dot files like Drupal 7Needs workDrupal core 11.0 — file system Created about 3 years ago

Harden TFA code comparison against timing attacksActiveEmail TFA 2.0 Created 3 months ago

#file_value_callbacks bypass the TrustedCallbackInterface protectionsActiveDrupal core 11.0 — file system Created over 4 years ago

Set up a formal process for ensuring JavaScript dependencies remain up to dateNeeds reviewDrupal core 10.0 — javascript Created over 3 years ago

Harden the security where hash values are comparedFixedDrupal core 8.0 — user system Created over 10 years ago

Limit all DB drivers to executing single statements by checking for delimiterFixedDrupal core 8.0 — database system Created over 10 years ago

ImageStyleDownloadController routes do not limit schemes servedNeeds reviewDrupal core 9.5 — image system Created about 3 years ago

User logout is vulnerable to CSRFNeeds workDrupal core 11.0 — user system Created over 18 years ago

Security improvement: Validate content-type of uploaded filesPostponedDrupal core 11.0 — file system Created almost 9 years ago

Add a SECURITY.md explaining how to report security vulnerabilities properlyActiveDrupal core 11.0 — documentation Created almost 6 years ago

Suggestion for: (3469565) Security Team MembersActiveDocumentation Created 8 months ago

A read only mode so that the security team could potentially recommend a course of action for sites that cannot be updated at the very moment a security fix is releasedNeeds reviewDrupal core 11.0 — base system Created over 7 years ago

Add a default CSP and clickjacking defence and minimal API for CSP to coreActiveDrupal core 10.1 — base system Created about 10 years ago

Session fixation for anonymous users - discard invalid session identifiers instead of accepting themNeeds workDrupal core 11.0 — base system Created almost 10 years ago

Don't automatically set a cookie domainNeeds reviewDrupal core 10.1 — base system Created over 7 years ago

UrlHelper::isValid() should handle hyphens, '-', correctlyNeeds workDrupal core 11.0 — other Created over 10 years ago

Check for common words in password strength indicatorsNeeds workDrupal core 11.0 — user.module Created over 13 years ago

[policy] Consider username enumerations as security bugs that require Security AdvisoriesActiveDrupal core 10.0 — documentation Created almost 4 years ago

Browser URL can be accessed by anonymous usersActiveParagraphs Browser 1.0 Created 4 months ago

Log changes to sensitive field but do not log valuesActiveConfiguration log 4.0 Created 4 months ago

Stop calling Html::escape() for checkbox optionsActiveDrupal core 10.1 — other Created over 2 years ago

Do not allow existing or reserved paths as aliases
Needs work
Drupal core 11.0 — path.module
Created over 18 years ago

JWT Invalidation on user logout
Needs work
JSON Web Token Authentication (JWT) 1.0
Created almost 4 years ago

Time-zone-abbreviation to TZID route is not access controlled
Active
Drupal core 11.0 — system.module
Created about 6 years ago

Missing support to store secret_key (and site_key) outside of configuration (DB)
Active
hCaptcha 1.0
Created 5 months ago

Update to ckeditor 45.2.2 (once available)
Active
Drupal core 11.0 — ckeditor5.module
Created 14 days ago

Add protocol filtering to the core Attribute component
Needs review
Drupal core 11.0 — base system
Created about 10 years ago

Review/update $adminTags variable for new html elements to be whitelisted
Needs work
Drupal core 10.1 — other
Created about 9 years ago

Prevent homographic usernames
Needs work
Drupal core 11.0 — user system
Created almost 19 years ago

SSRF vis role name on content translation screen
Active
Drupal core 11.0 — config_translation.module
Created over 1 year ago

Allow form tokens to be used on anonymous forms in some cases
Needs work
Drupal core 11.0 — forms system
Created almost 13 years ago

Disallow dangerous filenames e.g. command injection characters
Active
Drupal core 11.0 — file system
Created 6 months ago

Harden webhook hash against timing attacks
Active
Mailchimp 3.0
Created 3 months ago

Access bypass in entity-reference selection handler if hook_entity_access is implemented
Active
Drupal core 11.0 — entity system
Created over 1 year ago

Change form element access bypass default to FALSE on programmatic submissions.
Postponed: needs info
Drupal core 11.0 — forms system
Created over 11 years ago

Role Assignment issue when a Role is deleted
Closed: outdated
Commerce License 1.0
Created over 10 years ago

Need to safeguard allowed roles
Closed: outdated
Commerce License 1.0
Created over 9 years ago

Avoid abuse of config sync import tarballs
Active
Drupal core 11.0 — configuration system
Created 4 months ago

Prevent XSS in data attributes
Active
Drupal core 11.0 — render system
Created 4 months ago

Use email verification when changing user email addresses
Needs work
Drupal core 10.1 — user.module
Created almost 19 years ago

Require password for certain admin actions
Active
Drupal core 11.1 — user system
Created 8 months ago

Sanitize OR add Content-Security-Policy for SVGs
Active
Drupal core 11.0 — image.module
Created over 8 years ago

[regression] User roles field access is inconsistent, users with 'administer users' permission can gain full access
Needs work
Drupal core 11.0 — user.module
Created over 8 years ago

Allow email verification in user settings when a user tries to change their email address
Closed: outdated
Varbase Core 9.0
Created over 4 years ago

[D8] t($user_input) needs hardening
Postponed: needs info
Drupal core 10.1 — bootstrap system
Created almost 9 years ago

Apache Solr Server Unavailable After Adding Security.json
Active
Search API Solr 4.3
Created over 1 year ago

[Meta] Audit the database layer for security and ensure it is unit tested
Postponed: needs info
Drupal core 11.0 — database system
Created almost 11 years ago

Allow overriding of auth provider settings.
Needs work
Salesforce Suite 5.0
Created over 3 years ago

Remove \GuzzleHttp\Cookie\FileCookieJar from the autoloader for security
Active
Drupal core 11.0 — composer
Created 4 months ago

Harden key comparison against timing attacks
Active
Disable Login Page 1.1
Created 3 months ago

Clean up unserialize() in the migration modules
Active
Drupal core 11.0 — migration system
Created 4 months ago

Reset password form can still be accessed
Active
Remove'Reset your password' 1.0
Created 2 months ago

Port Cross-site Scripting - Autocomplete system from SA-CORE-2015-003 to Drupal 8
Needs work
Drupal core 9.5 — javascript
Created about 10 years ago

Bad usage of the PHP hash_equals function
Active
Drupal core 10.3 — other
Created 10 months ago

Don't use |raw in Twig templates
Active
Footnotes 4.0
Created 3 months ago

Clean up unserialize() in the config system
Active
Drupal core 11.0 — configuration system
Created 4 months ago

Protect initial login link against abuse and username leaking
Needs work
Drupal core 11.0 — user system
Created almost 6 years ago

[meta] Audit the event subscriber system for security
Postponed: needs info
Drupal core 11.0 — base system
Created almost 11 years ago

Remove use of exec('rm -Rf') as security concern preventing use of open_basedir.
Needs work
Drupal core 11.0 — phpunit
Created over 8 years ago

OTP code is not truly random
Active
Email TFA 2.0
Created 3 months ago

Long-standing architecture flaw: Directly printing a nested element skips important processing (including #access) of parent elements
Active
Drupal core 11.0 — theme system
Created over 10 years ago

Security improvements
Active
Model Context Protocol 1.0
Created 4 months ago

Unhandled exception when looking up a configuration objects by name which contains non-ASCII characters
Active
Drupal core 11.0 — configuration system
Created 12 months ago

Add test for SA-CORE-2024-002
Active
Drupal core 11.0 — ckeditor5.module
Created 4 months ago

Use getDisplayName() for user names consistently
Needs work
Drupal core 10.1 — user.module
Created almost 10 years ago

Provide an API to check file access
Active
Drupal core 11.0 — file system
Created 3 months ago

Automatically assign user cache contexts/tags when using current_user service
Postponed
Drupal core 11.0 — cache system
Created about 10 years ago

Do not prepopulate the user register form with the email address and username of the last person who registered using the same web browser
Needs work
Drupal core 9.5 — user system
Created over 10 years ago

Make module developers think about restricted permissions
Active
Drupal core 11.0 — other
Created 3 months ago

Notify the developer if #access is anything other than an allowed boolean or access result object.
Active
Drupal core 11.0 — forms system
Created 4 months ago

Increase the length of the itok token for image derivatives
Active
Drupal core 11.0 — image.module
Created over 2 years ago

Assert on unrecognized field access check operation
Needs work
Drupal core 11.0 — field system
Created almost 9 years ago

Harden CKEditor 5 against self-XSS through source editing
Active
Drupal core 11.0 — ckeditor5.module
Created almost 3 years ago

Make it easier to protect forms against brute force
Active
Drupal core 11.0 — forms system
Created 3 months ago

Remove outdated code that sets password on $account during user registration
Needs work
Drupal core 11.0 — user system
Created over 9 years ago

Improve input sanitisation
Active
JSON:API Menu Items 1.2
Created 3 months ago

Disable the user.login.http route by default
Active
Drupal core 11.0 — user.module
Created 3 months ago

Prevent users from uploading .htaccess files
Active
Drupal core 11.0 — file system
Created 3 months ago

Always rename dot files like Drupal 7
Needs work
Drupal core 11.0 — file system
Created about 3 years ago

Harden TFA code comparison against timing attacks
Active
Email TFA 2.0
Created 3 months ago

#file_value_callbacks bypass the TrustedCallbackInterface protections
Active
Drupal core 11.0 — file system
Created over 4 years ago

Set up a formal process for ensuring JavaScript dependencies remain up to date
Needs review
Drupal core 10.0 — javascript
Created over 3 years ago

Harden the security where hash values are compared
Fixed
Drupal core 8.0 — user system
Created over 10 years ago

Limit all DB drivers to executing single statements by checking for delimiter
Fixed
Drupal core 8.0 — database system
Created over 10 years ago

ImageStyleDownloadController routes do not limit schemes served
Needs review
Drupal core 9.5 — image system
Created about 3 years ago

User logout is vulnerable to CSRF
Needs work
Drupal core 11.0 — user system
Created over 18 years ago

Security improvement: Validate content-type of uploaded files
Postponed
Drupal core 11.0 — file system
Created almost 9 years ago

Add a SECURITY.md explaining how to report security vulnerabilities properly
Active
Drupal core 11.0 — documentation
Created almost 6 years ago

Suggestion for: (3469565) Security Team Members
Active
Documentation
Created 8 months ago

A read only mode so that the security team could potentially recommend a course of action for sites that cannot be updated at the very moment a security fix is released
Needs review
Drupal core 11.0 — base system
Created over 7 years ago

Add a default CSP and clickjacking defence and minimal API for CSP to core
Active
Drupal core 10.1 — base system
Created about 10 years ago

Session fixation for anonymous users - discard invalid session identifiers instead of accepting them
Needs work
Drupal core 11.0 — base system
Created almost 10 years ago

Don't automatically set a cookie domain
Needs review
Drupal core 10.1 — base system
Created over 7 years ago

UrlHelper::isValid() should handle hyphens, '-', correctly
Needs work
Drupal core 11.0 — other
Created over 10 years ago

Check for common words in password strength indicators
Needs work
Drupal core 11.0 — user.module
Created over 13 years ago

[policy] Consider username enumerations as security bugs that require Security Advisories
Active
Drupal core 10.0 — documentation
Created almost 4 years ago

Browser URL can be accessed by anonymous users
Active
Paragraphs Browser 1.0
Created 4 months ago

Log changes to sensitive field but do not log values
Active
Configuration log 4.0
Created 4 months ago

Stop calling Html::escape() for checkbox options
Active
Drupal core 10.1 — other
Created over 2 years ago

Blocking TRACE method by configuration files
Needs work
Drupal core 10.1 — system.module
Created almost 7 years ago

'json_decode()' is used in callbacks without validation of arguments leaving the application vulnerable to XSS attacks.
Needs review
Context 3.10
Created almost 5 years ago