August 2017

H5P - Critical - Reflected Cross Site Scripting (XSS) - DRUPAL-SA-CONTRIB-2017-071

* Advisory ID: DRUPAL-SA-CONTRIB-2017-071
* Project: H5P- Create and Share Rich Content and Applications (third-party module)
* Version: 7.x
* Date: 2017-August-30
* Security risk: 18/25 ( Critical)
* Vulnerability: Cross Site Scripting


The H5P module helps create interactive videos, question sets, drag and drop
questions, multichoice questions, boardgames, presentations, flashcards and
more using Drupal.

Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

* Advisory ID: DRUPAL-SA-CONTRIB-2017-070
* Project: Commerce Invoices (third-party module)
* Version: 7.x
* Date: 2017-August-30
* Security risk: 20/25 ( Highly Critical)
* Vulnerability: Cross Site Scripting, SQL Injection


Commerce Invoices allows you to enter an Invoice number, Company name and
Amount and it will generate an Invoice that the client can pay on your site
using any payment method supported by Drupal commerce.


Family Travel Forum

Kyle McCarthy's picture
Kyle McCarthy
Family Travel Forum18 August 2017

Our Drupal developer introduced us to Drupion several years ago, because we were having support issues on a shared server at another company. Things have been smooth sailing ever since. At Drupion, our development team has received great service and prompt assistance with technical issues. As the company owner, I have gotten prompt attention to billing inquiries, and requests for new services, such as adding SSL certificates to our many websites moving to an https:// format. Additionally, the Drupion support team was quick to facilitate the move of 32 domain addresses and management from another webhost. Drupion team has been very important partners in our company's growth, plus they're nice to work with.

Family Travel Forum has provided trusted vacation planning resources for traveling the world with kids since 1996. Over the years, our staff and contributors who Have Kids, Still Travel! -- as well as their children, our interns, professional writers and our community -- have created a rich and up to date library on the latest destinations, travel products and trends.

Houk Consulting

Don Houk's picture
Don Houk
Houk Consulting16 August 2017

Drupion has been a phenomenal host for our Drupal sites. We’ve not experience any issues with the service in the time we have hosted with them, which is a pleasant surprise coming from a string of less than reliable hosts. If you have a Drupal site, you should host it here.

Houk Consulting provides proactive IT services that drive business success for small business around Pittsburgh, PA.

Entity Reference - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-067

* Advisory ID: DRUPAL-SA-CONTRIB-2017-067
* Project: Entity reference (third-party module)
* Version: 7.x
* Date: 2017-August-16
* Security risk: 12/25 ( Moderately Critical)
* Vulnerability: Access bypass


The entity reference module provides a field type that can reference
arbitrary entities.

In a vulnerable configuration, an attacker could determine the titles of
nodes they do not have access to.

Views refresh - Moderately Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-069

* Advisory ID: DRUPAL-SA-CONTRIB-2017-069
* Project: Views Refresh (third-party module)
* Version: 7.x, 8.x
* Date: 2017-August-16
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Access bypass


When creating a view, you can optionally use Ajax to update the displayed
data via filter parameters. The views refresh module did not restrict
access to the Ajax endpoint to only views configured to use Ajax. This is
mitigated if you have access restrictions on the view.

Views - Moderately Critical - Access Bypass

Drupion customers should pay special attention the contributed modules are not covered by Automatic Drupal Core updates announced on

* Advisory ID: DRUPAL-SA-CONTRIB-2014-0XX
* Project: Views
* Version: 7.x, 8.x
* Date: 2017-August-16
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Access bypass


Drupal 8 Core - Multiple Vulnerabilities

The following alert is for general Drupal public. All the Drupal projects on Drupion platform are updated automatically unless opted out per instructions on Drupion users can ask questions under this post on

The Official Vijay Prashad Website

Aya Yoshida's picture
Aya Yoshida
The Official Vijay Prashad Website15 August 2017

Drupion is a real advanced Drupal web hosting with full of SSH, Drush and Github. Also very friendly and helpful. If you have a Drupal site, Drupion is where to go. I mean, not only technically advanced, there's a spirit of open source and the good old original internet community.

Vijay Prashad is a journalist, historian of the Global South, Marxist intellectual, the George and Martha Kellner Chair in South Asian History and Professor of International Studies at Trinity College in Hartford, Connecticut.