Reporting security issues to the Drupal project

2017-12-06

I started reporting security issues to the Drupal project lately, most of them affecting contributed modules.

This one for instance is a CSRF that was present in the Configuration Update Manager module for Drupal 8.

This one was highly critical, allowing SQL injection to anonymous users, CSRF and XSS.
Update: It has been analysed by Drew Webber (mcdruid) - Acquia Principal Security Analyst - during his "Reverse Engineering Drupal Vulnerabilities" presentation.

Another highly critical one allowed again SQL injection and XSS.