CINXE.COM

<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" version="XHTML+RDFa 1.0" dir="ltr" xmlns:fb="http://ogp.me/ns/fb#" xmlns:og="http://ogp.me/ns#"> <head profile="http://www.w3.org/1999/xhtml/vocab"> <meta name="HandheldFriendly" content="true" /> <meta name="viewport" content="width=device-width" /> <meta name="MobileOptimized" content="width" />  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link rel="alternate" type="application/rss+xml" title="Security advisories" href="https://www.drupal.org/security/all/rss.xml" /> <title>Security advisories | Drupal.org</title> <link type="text/css" rel="stylesheet" href="/files/advagg_css/css__vwdslBVX8xVWQ4hx4mWxIC59-lKGPldWkMIm435ispk__msT4O19F5udTbXsVQpyNk2EFYlbaoLwufqq_ZcdDcB0__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.css" media="all" /> <link type="text/css" rel="stylesheet" href="/files/advagg_css/css__Xi-PZpvKTY78w7l1WNsqwUA52MIupHJebCMiX34Ugt0__D_EUHDAfEQdxcLiSDY7hREUWkG1Ge56_h2z3Er8V188__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.css" media="all" /> <link type="text/css" rel="stylesheet" href="/files/advagg_css/css__WF0PRotZAhCcl0aJjY5W2LYj8UwiYuB2dZEFluOh3Tc__FviX13FUB-Ppa2XB29BUIJQZ1Wg-F5XiDE7XD5y7mjQ__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.css" media="all" /> <link type="text/css" rel="stylesheet" href="/files/advagg_css/css__pWCOPcaPe71p3QyGrAeqEd6dwL_n27prYOjnWQj4jVI__fR6RV6fh70jWL18FMzdVQpGUyYT8iL9Vw8wnms1DdQA__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.css" media="all" /> <link type="text/css" rel="stylesheet" href="/files/advagg_css/css__mlCLWKqAJJ-E-mMVCEmFp-7SE_XsgAxpf7HS-FcVqB0__7Tgy6u_PBeTp3b4s5UumhQPx9mJ_jhs1Z-WvSrqxAHk__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.css" media="all" /> <link type="text/css" rel="stylesheet" href="/files/advagg_css/css__QPp1snPjYt_xYr0c_V0IORcEElkIUBBBrvOB4ZE0Gnw__8jkPtXCYcQv4spuNwtiMBMbZXgCS-2GouDqwnCBDPRE__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.css" media="all" /> </head> <body class="html not-front not-logged-in one-sidebar sidebar-second page-security drupalorg-site-main" > <div id="skip-link" tabindex="-1"> <a class="element-invisible element-focusable" href="#content">Skip to main content</a> <a class="element-invisible element-focusable skip-link-search" href="#search-block-form">Skip to search</a> </div> <div class="region region-page-top"> <noscript aria-hidden="true"><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-W36H8DW" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript> <div id="drupalorg-crosssite-gdpr">Can we use first and third party cookies and web beacons to <a href="https://www.drupal.org/terms">understand our audience, and to tailor promotions you see</a>?<br><button class="yes">Yes, please</button><button class="no">No, do not track me</button></div> </div> <div id="nav-header"> <div class="menu-nav"> <a class="nav-btn" id="nav-open-btn" href="#block-system-main-menu"><img src="/sites/all/themes/bluecheese/images/icon-w-menu.svg" alt="Main menu"></a> </div> <nav id="navigation-inner" class="container-12" role="navigation"> <div class="region region-navigation"> <div id="block-system-main-menu" class="block block-system block-menu"> <div class="block-inner"> <div class="content"> <div class="menu-block"><ul class="menu button"><li class="first leaf"><a href="/home" title="Drupal.org home page">Drupal.org home</a></li> <li class="expanded"><a href="/about" title="">Why Drupal?</a><div class="menu-block"><ul class="menu button"><li class="first leaf"><a href="/about" title="Learn about Drupal">About Drupal</a></li> <li class="leaf"><a href="/docs/getting-started/understanding-drupal/overview-of-drupal" title="">Platform overview</a></li> <li class="leaf"><a href="/about/11" title="">Drupal 11</a></li> <li class="leaf"><a href="/features/content-authoring" title="">Content Authoring</a></li> <li class="leaf"><a href="/features/content-as-a-service" title="">Content as a Service</a></li> <li class="leaf"><a href="/features/decoupled" title="">Decoupled</a></li> <li class="leaf"><a href="/features/accessibility" title="">Accessibility</a></li> <li class="leaf"><a href="/features/marketing-automation" title="">Marketing Automation</a></li> <li class="leaf"><a href="/features/multilingual" title="">Multilingual</a></li> <li class="leaf"><a href="/features/security" title="">Security</a></li> <li class="leaf"><a href="/features/personalization" title="">Personalization</a></li> <li class="leaf"><a href="/case-studies" title="View case studies to see how your peers have built success on Drupal">Case studies</a></li> <li class="leaf"><a href="https://www.drupal.org/association/beyond-the-build" title="">Video series</a></li> <li class="last leaf"><a href="/about/in-the-news" title="">News</a></li> </ul></div></li> <li class="expanded"><a href="/industries" title="Examples of solutions built on Drupal">Use cases</a><div class="menu-block"><ul class="menu button"><li class="first leaf"><a href="/developers" title="">For Developers</a></li> <li class="leaf"><a href="/marketers" title="Why marketers should choose Drupal for their ambitious digital experiences">For Marketers</a></li> <li class="leaf"><a href="/industries/ecommerce" title="">E-commerce</a></li> <li class="leaf"><a href="/industries/education" title="">Education</a></li> <li class="leaf"><a href="/industries/fintech" title="">FinTech</a></li> <li class="leaf"><a href="/industries/government" title="">Government</a></li> <li class="leaf"><a href="/industries/healthcare" title="">Healthcare</a></li> <li class="leaf"><a href="/industries/hightech" title="">High Tech</a></li> <li class="leaf"><a href="/industries/nonprofit" title="">Nonprofit</a></li> <li class="leaf"><a href="/industries/retail" title="">Retail</a></li> <li class="last leaf"><a href="/industries/travel" title="">Travel</a></li> </ul></div></li> <li class="expanded active-trail"><a href="/documentation" title="Resources to help you on your Drupal journey" class="active-trail">Resources</a><div class="menu-block"><ul class="menu button"><li class="first leaf"><a href="/docs/getting-started/installing-drupal" title="">Installing Drupal</a></li> <li class="leaf"><a href="/documentation" title="Drupal Documentation">Documentation</a></li> <li class="leaf"><a href="/docs/user_guide/en/index.html" title="The Drupal 8 user guide will get you up to speed in no time">User guide</a></li> <li class="leaf"><a href="/docs/official_docs/local-development-guide" title="">Local Development Guide</a></li> <li class="leaf active-trail"><a href="/security" title="Find information about security releases for Drupal" class="active-trail active">Security</a></li> <li class="leaf"><a href="/news" title="News about the Drupal ecosystem">News</a></li> <li class="leaf"><a href="/planet" title="">Blog</a></li> <li class="last leaf"><a href="/about/drupal-7/d7eol/partners" title="Find help for your Drupal 7 migration">Migrate from D7</a></li> </ul></div></li> <li class="expanded"><a href="/drupal-services" title="Buy Drupal Products and Services">Services</a><div class="menu-block"><ul class="menu button"><li class="first leaf"><a href="/drupal-services" title="View the Drupal service provider marketplace">Find an Agency Partner</a></li> <li class="leaf"><a href="/hosting" title="Find trusted Drupal hosting providers">Find Integrations & Hosting</a></li> <li class="leaf"><a href="/training" title="Find expert Drupal training">Find Drupal Training</a></li> <li class="leaf"><a href="/association/become-a-drupal-certified-partner" title="">Become a Certified Partner</a></li> <li class="last leaf"><a href="/about/drupal-7/d7eol/migration-resource-center/enterprise" title="">Find a D7 migration partner</a></li> </ul></div></li> <li class="expanded"><a href="/community" title="Drupal Community">Community</a><div class="menu-block"><ul class="menu button"><li class="first leaf"><a href="/community/contributor-guide" title="">How to Contribute</a></li> <li class="leaf"><a href="/community" title="View the community portal and find all the ways you can contribute to Drupal">About the Community</a></li> <li class="leaf"><a href="/support" title="">Support</a></li> <li class="leaf"><a href="/project/governance" title="">Community Governance</a></li> <li class="last leaf"><a href="https://jobs.drupal.org" title="">Jobs/Careers</a></li> </ul></div></li> <li class="expanded"><a href="/community/events" title="Find Drupal Events around the world, from the official DrupalCons, to community Camps and Meet-Ups">Events</a><div class="menu-block"><ul class="menu button"><li class="first leaf"><a href="https://events.drupal.org/barcelona2024" title="">DrupalCon Barcelona 2024</a></li> <li class="leaf"><a href="https://events.drupal.org/singapore2024" title="">DrupalCon Singapore 2024</a></li> <li class="leaf"><a href="https://events.drupal.org/atlanta2025" title="">DrupalCon Atlanta 2025</a></li> <li class="last leaf"><a href="/community/events" title="">Community Events</a></li> </ul></div></li> <li class="expanded"><a href="/download" title="Download and Extend Drupal">Download</a><div class="menu-block"><ul class="menu button"><li class="first collapsed"><a href="/download" title="Build your solution on Drupal">Download</a></li> <li class="leaf"><a href="/project/modules" title="Find modules to extend Drupal to meet any need">Modules</a></li> <li class="leaf"><a href="/project/themes" title="Browse themes as a starting point for making your Drupal site your own">Themes</a></li> <li class="leaf"><a href="/project/distributions" title="Use a distribution to start with a version of Drupal customized to purpose">Distributions</a></li> <li class="leaf"><a href="/project/issues" title="Dive into the issues queues and contribute back to Drupal">Issue queues</a></li> <li class="last leaf"><a href="https://git.drupalcode.org/project/drupal" title="">Browse Repository</a></li> </ul></div></li> <li class="expanded"><a href="/association" title="About the Drupal Association - the non-profit that supports the Drupal project">Give</a><div class="menu-block"><ul class="menu button"><li class="first leaf"><a href="/association" title="Learn about the Drupal Association - the nonprofit that supports the Drupal project">Drupal Association</a></li> <li class="leaf"><a href="/association/organization-membership" title="Learn more about the organizations that support the Drupal Association and our mission">Become an Organization Member</a></li> <li class="leaf"><a href="/association/become-a-drupal-certified-partner" title="">Become a Certified Partner</a></li> <li class="leaf"><a href="/association/RippleMakers" title="">Become a Ripple Maker</a></li> <li class="leaf"><a href="/association/donate" title="">Make a Donation</a></li> <li class="leaf"><a href="/association/discover-drupal" title="">Discover Drupal</a></li> <li class="last leaf"><a href="https://www.drupal.org/swag?utm_source=drupalorg&utm_medium=banner&utm_campaign=drupal_swag_shop_2020_09_17" title="Purchase Drupal merchandise and be the coolest kid on the block">Drupal Swag Shop</a></li> </ul></div></li> <li class="last expanded"><a href="/try-drupal" title="Try Drupal">Demo</a><div class="menu-block"><ul class="menu button"><li class="first leaf"><a href="/try-drupal" title="Demo Drupal online with a Drupal platform partner">Demo online</a></li> <li class="last leaf"><a href="/download" title="">Download</a></li> </ul></div></li> </ul></div><a class="close-btn" href="#top">Return to content</a> </div> </div> </div> <div id="block-search-form" class="block block-search"> <div class="block-inner"> <div class="content"> <form action="/security" method="post" id="search-block-form" accept-charset="UTF-8"><div><div class="container-inline"> <h2 class="element-invisible">Search form</h2> <div class="form-item form-type-textfield form-item-search-block-form"> <label class="element-invisible" for="edit-search-block-form--2">Search </label> <input placeholder="Search…" type="text" id="edit-search-block-form--2" name="search_block_form" value="" size="15" maxlength="128" class="form-text" /> </div> <div class="form-actions form-wrapper" id="edit-actions"><input alt="Search" type="image" id="edit-submit" name="submit" value="Search" src="/sites/all/themes/bluecheese/images/icon-w-search.svg" class="form-submit" /></div><input type="hidden" name="form_build_id" value="form-OLD-YRhp93qgNNiTnPFa9BtIDBZ_IJJOjM_J3zH5lCY" /> <input type="hidden" name="form_id" value="search_block_form" /> </div> </div></form> </div> </div> </div> <div id="block-system-user-menu" class="block block-system block-menu"> <div class="block-inner"> <div class="content"> <div class="menu-block"><ul class="menu"><li class="button default"><a href="#block-system-user-menu"><img src="https://www.drupal.org/sites/all/themes/bluecheese/images/icon-w-user.svg" alt="Log in, view profile, and more"></a><ul><li class="first leaf"><a href="/user/login?destination=security" title="">Log in</a></li> <li class="last leaf"><a href="/user/register?destination=security" title="">Create account</a></li> </ul></li></ul></div> </div> </div> </div> </div> </nav> </div> <div id="header" class="clearfix"> <div id="header-inner" class="container-12 clearfix"> <div id="header-left"> <div id="site-name"><a href="/" title="Drupal.org"><img src="https://www.drupal.org/files/drupal-wordmark.svg" alt="Drupal.org" /></a></div> </div> <div id="header-right"> </div> </div> </div> <div id="banner" data-nosnippet> <div class="region region-banner"> <div id="block-drupalorg-announcements" class="block block-drupalorg"> <div class="block-inner"> <div class="content"> <div class="announcement"><img class="photo" src="https://www.drupal.org/files/styles/grid-2-2x-square/public/announcements/drupalcon-hexagon-icon-280X280px_2.png?itok=Oxf_7ZRC" width="280" height="280" alt="Announcement icon" title="Announcement icon" />Early Bird Registration for DrupalCon Atlanta is now open! By registering during our Early Bird Registration window, you’ll save $100. This window ends on 19 January 2025 and will go by quickly, so don’t wait!</div> <div class="cta"><a href="https://web.cvent.com/event/f3a4f9b8-0efa-44cf-a939-b80869a939af/summary" class="global-announce-banner dc-singapore-registration">Register now to save $100</a></div> </div> </div> </div> </div> </div> <div id="page" class="clearfix"> <div id="page-heading"> <div class="breadbox"></div> <h1 id="page-title" class="container-12">Security advisories</h1> </div>  <div class="container-12 page-inner"> <div id="main" role="main"> <div id="content" class="clearfix"> <div id="content-inner" class="clearfix"> <div class="region region-content"> <div id="block-system-main" class="block block-system"> <div class="block-inner"> <div class="content"> <div class="view view-drupalorg-security-announcements view-id-drupalorg_security_announcements view-display-id-page_2 view-dom-id-28e4dc036e33bbc8cfc44c88ec17f554"> <div class="view-header"> <p>Show advisories for <a href="/security/core" rel="nofollow">only Drupal Core</a>, <a href="/security/contrib" rel="nofollow">only contributed projects</a>, or <a href="/security/psa" rel="nofollow">only <abbr title="Public Service Announcements">PSAs</abbr></a></p> </div> <div class="view-content"> <div class="views-row views-row-1 views-row-odd views-row-first"> <div id="node-3488745" class="node node-sa node-teaser node-content-3488745 clearfix"> <h2><a href="/sa-contrib-2024-063">Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-20</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="moderately-critical" title="AC - Access complexity: Complex or highly specific (multi-step, unintuitive process with high number of dependencies) A - Authentication: Administrator (broad permissions required where “restrict access” is set to false) CI - Confidentiality impact: All non-public data is accessible II - Integrity impact: All data can be modified or deleted E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Only uncommon module configurations are exploitable"><strong>Moderately critical</strong> 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>This module integrates webforms with eloqua, an automated marketing and demand generation software built to improve the quality and quantity of customers' sales leads and streamline their sales processes.</p> <p>In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-contrib-2024-063" rel="tag" title="Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063">Read more<span class="element-invisible"> about Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063</span></a></li> </ul></div> </div> </div> <div class="views-row views-row-2 views-row-even"> <div id="node-3488719" class="node node-sa node-teaser node-content-3488719 clearfix"> <h2><a href="/sa-contrib-2024-062">Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-20</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="moderately-critical" title="AC - Access complexity: Complex or highly specific (multi-step, unintuitive process with high number of dependencies) A - Authentication: Administrator (broad permissions required where “restrict access” is set to false) CI - Confidentiality impact: All non-public data is accessible II - Integrity impact: All data can be modified or deleted E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Only uncommon module configurations are exploitable"><strong>Moderately critical</strong> 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>This module for Drupal provides complete control of Email settings with Drupal and Mailjet.</p> <p>In certain cases the module doesn't securely pass data to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.</p> <p>This vulnerability is mitigated by the fact that an attack must operate with the permission "administer mailjet module", however this could be the case if this issue were combined with others in an "attack chain".</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-contrib-2024-062" rel="tag" title="Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062">Read more<span class="element-invisible"> about Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062</span></a></li> </ul></div> </div> </div> <div class="views-row views-row-3 views-row-odd"> <div id="node-3488717" class="node node-sa node-teaser node-content-3488717 clearfix"> <h2><a href="/sa-core-2024-008">Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-20</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="moderately-critical" title="AC - Access complexity: Complex or highly specific (multi-step, unintuitive process with high number of dependencies) A - Authentication: Administrator (broad permissions required where “restrict access” is set to false) CI - Confidentiality impact: All non-public data is accessible II - Integrity impact: All data can be modified or deleted E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Only uncommon module configurations are exploitable"><strong>Moderately critical</strong> 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.</p> <p>This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to <code class="language-php">unserialize()</code>. There are no such known exploits in Drupal core.</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-core-2024-008" rel="tag" title="Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008">Read more<span class="element-invisible"> about Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008</span></a></li> </ul></div> </div> </div> <div class="views-row views-row-4 views-row-even"> <div id="node-3488713" class="node node-sa node-teaser node-content-3488713 clearfix"> <h2><a href="/sa-core-2024-007">Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-20</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="moderately-critical" title="AC - Access complexity: Complex or highly specific (multi-step, unintuitive process with high number of dependencies) A - Authentication: Administrator (broad permissions required where “restrict access” is set to false) CI - Confidentiality impact: All non-public data is accessible II - Integrity impact: All data can be modified or deleted E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Only uncommon module configurations are exploitable"><strong>Moderately critical</strong> 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.</p> <p>This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to <code class="language-php">unserialize()</code>. There are no such known exploits in Drupal core.</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-core-2024-007" rel="tag" title="Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007">Read more<span class="element-invisible"> about Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007</span></a></li> </ul></div> </div> </div> <div class="views-row views-row-5 views-row-odd"> <div id="node-3488712" class="node node-sa node-teaser node-content-3488712 clearfix"> <h2><a href="/sa-core-2024-006">Drupal core - Less critical - Gadget chain - SA-CORE-2024-006</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-20</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="less-critical" title="AC - Access complexity: Complex or highly specific (multi-step, unintuitive process with high number of dependencies) A - Authentication: User-level access (basic/commonly assigned permissions) CI - Confidentiality impact: No confidentiality impact II - Integrity impact: Some data can be modified E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Only uncommon module configurations are exploitable"><strong>Less critical</strong> 8 ∕ 25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.</p> <p>This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to <code class="language-php">unserialize()</code>. There are no such known exploits in Drupal core.</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-core-2024-006" rel="tag" title="Drupal core - Less critical - Gadget chain - SA-CORE-2024-006">Read more<span class="element-invisible"> about Drupal core - Less critical - Gadget chain - SA-CORE-2024-006</span></a></li> </ul></div> </div> </div> <div class="views-row views-row-6 views-row-even"> <div id="node-3488709" class="node node-sa node-teaser node-content-3488709 clearfix"> <h2><a href="/sa-core-2024-005">Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-20</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="critical" title="AC - Access complexity: None (user visits page) A - Authentication: None (all/anonymous users) CI - Confidentiality impact: Certain non-public data is released II - Integrity impact: Some data can be modified E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Default or common module configurations are exploitable, but a config change can disable the exploit"><strong>Critical</strong> 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances.</p> <p>Only sites with the Overlay module enabled are affected by this vulnerability.</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-core-2024-005" rel="tag" title="Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005">Read more<span class="element-invisible"> about Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005</span></a></li> </ul></div> </div> </div> <div class="views-row views-row-7 views-row-odd"> <div id="node-3488705" class="node node-sa node-teaser node-content-3488705 clearfix"> <h2><a href="/sa-core-2024-004">Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-20</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="moderately-critical" title="AC - Access complexity: Basic or routine (user must follow specific path) A - Authentication: User-level access (basic/commonly assigned permissions) CI - Confidentiality impact: No confidentiality impact II - Integrity impact: Some data can be modified E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Default or common module configurations are exploitable, but a config change can disable the exploit"><strong>Moderately critical</strong> 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation.</p> <p>As a result, a user may be able to register with the same email address as another user.</p> <p>This may lead to data integrity issues.</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-core-2024-004" rel="tag" title="Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004">Read more<span class="element-invisible"> about Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004</span></a></li> </ul></div> </div> </div> <div class="views-row views-row-8 views-row-even"> <div id="node-3488703" class="node node-sa node-teaser node-content-3488703 clearfix"> <h2><a href="/sa-core-2024-003">Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-20</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="moderately-critical" title="AC - Access complexity: Basic or routine (user must follow specific path) A - Authentication: User-level access (basic/commonly assigned permissions) CI - Confidentiality impact: Certain non-public data is released II - Integrity impact: Some data can be modified E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Default or common module configurations are exploitable, but a config change can disable the exploit"><strong>Moderately critical</strong> 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-core-2024-003" rel="tag" title="Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003">Read more<span class="element-invisible"> about Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003</span></a></li> </ul></div> </div> </div> <div class="views-row views-row-9 views-row-odd"> <div id="node-3488699" class="node node-sa node-teaser node-content-3488699 clearfix"> <h2><a href="/sa-contrib-2024-061">Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-20</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="moderately-critical" title="AC - Access complexity: Complex or highly specific (multi-step, unintuitive process with high number of dependencies) A - Authentication: Administrator (broad permissions required where “restrict access” is set to false) CI - Confidentiality impact: All non-public data is accessible II - Integrity impact: All data can be modified or deleted E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Only uncommon module configurations are exploitable"><strong>Moderately critical</strong> 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>This module allows users to export nodes and then import it into another Drupal installation, or on the same site.</p> <p>In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which could results in Remote Code Execution via PHP Object Injection.</p> <p>This vulnerability is mitigated by the fact that an attack must operate with the permission "Use PHP to import nodes", however this could be the case if this issue were combined with others in an "attack chain".</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-contrib-2024-061" rel="tag" title="Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061">Read more<span class="element-invisible"> about Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061</span></a></li> </ul></div> </div> </div> <div class="views-row views-row-10 views-row-even views-row-last"> <div id="node-3487306" class="node node-sa node-teaser node-content-3487306 clearfix"> <h2><a href="/sa-contrib-2024-060">POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060</a></h2> <div class="content"> <div class="field field-name-drupalorg-sa-date field-type-text field-label-inline clearfix"><div class="field-label">Date: </div><div class="field-items"><div class="field-item even">2024-November-13</div></div></div><div class="field field-name-field-sa-criticality field-type-text field-label-inline clearfix"><div class="field-label">Security risk: </div><div class="field-items"><div class="field-item even"><a href="/security-team/risk-levels" class="critical" title="AC - Access complexity: Basic or routine (user must follow specific path) A - Authentication: User-level access (basic/commonly assigned permissions) CI - Confidentiality impact: All non-public data is accessible II - Integrity impact: All data can be modified or deleted E - Exploit (Zero-day impact): Theoretical or white-hat (no public exploit code or documentation on development exists) TD - Target distribution: Default or common module configurations are exploitable, but a config change can disable the exploit"><strong>Critical</strong> 17 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default</a></div></div></div><div class="field field-name-field-sa-description field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"><p>The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).</p> <p>This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the allow_insecure_uploads config.</p> <p>This vulnerability is mitigated by the fact that an attacker must have a role with the permission "postfile upload".</p></div></div></div> </div> <div class="node-footer"><ul class="links inline"><li class="node-readmore first last"><a href="/sa-contrib-2024-060" rel="tag" title="POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060">Read more<span class="element-invisible"> about POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060</span></a></li> </ul></div> </div> </div> </div> <h2 class="element-invisible">Pages</h2><div class="item-list"><ul class="pager"><li class="pager-current first">1</li> <li class="pager-item"><a title="Go to page 2" href="/security?page=1">2</a></li> <li class="pager-item"><a title="Go to page 3" href="/security?page=2">3</a></li> <li class="pager-item"><a title="Go to page 4" href="/security?page=3">4</a></li> <li class="pager-item"><a title="Go to page 5" href="/security?page=4">5</a></li> <li class="pager-item"><a title="Go to page 6" href="/security?page=5">6</a></li> <li class="pager-item"><a title="Go to page 7" href="/security?page=6">7</a></li> <li class="pager-item"><a title="Go to page 8" href="/security?page=7">8</a></li> <li class="pager-item"><a title="Go to page 9" href="/security?page=8">9</a></li> <li class="pager-ellipsis">…</li> <li class="pager-next"><a title="Go to next page" href="/security?page=1">next ›</a></li> <li class="pager-last last"><a title="Go to last page" href="/security?page=176">last »</a></li> </ul></div> </div> </div> </div> </div> </div> </div> <div id="feeds">Subscribe with RSS <a href="https://www.drupal.org/security/all/rss.xml" class="feed-icon" title="Subscribe to Security advisories"><img src="https://www.drupal.org/misc/feed.png" width="16" height="16" alt="Subscribe to Security advisories" /></a></div> </div>  </div>  <div id="aside" role="complementary" > <div id="aside-region"> <div class="region region-sidebar-second"> <div id="block-block-34" class="block block-block"> <div class="block-inner"> <div class="content"> <p>In addition to the <a href="/security">news page and sub-tabs</a>, all security announcements are posted to an email list. To subscribe to email: log in, go to <a href="/user">your user profile page</a> and subscribe to the security newsletter on the <em>Edit » My newsletters</em> tab.</p> <p>You can also get rss feeds for <a href="https://www.drupal.org/security/rss.xml">core</a>, <a href="https://www.drupal.org/security/contrib/rss.xml">contrib</a>, or <a href="https://www.drupal.org/security/psa/rss.xml">public service announcements</a> or follow <a href="https://twitter.com/drupalsecurity">@drupalsecurity</a> on Twitter or <a rel="me" href="https://drupal.community/@drupalsecurity">drupalsecurity@drupal.community</a> on Mastodon.</p> <h3>Contacting the Security team</h3> <p>In order to report a security issue, or to learn more about the security team, please see the <a href="/security-team">Security team</a> handbook page.</p> <h3>Writing secure code</h3> <p>If you are a Drupal developer, please read the handbook section on <a href="/writing-secure-code">Writing secure code</a>.</p> </div> </div> </div> <div id="block-block-148" class="block block-block"> <div class="block-inner"> <h2>Drupal Steward</h2> <div class="content"> <p><a href="/steward" title="Drupal Steward"> <img width="50%" src="https://www.drupal.org/files/cta/graphic/drupal-steward-high-rez-logo.png" /></a><br /> Drupal Steward is a web application firewall product that can protect your Drupal sites from highly critical and mass exploitable vulnerabilities, allowing you to update on your own time. </p> <p><a href="/steward" class="button-link" title="Drupal Steward">Learn more</a></p> </div> </div> </div> </div> </div>  </div>  </div> </div>  <div id="footer" role="contentinfo"> <div class="region region-footer"> <div id="block-drupalorg-crosssite-drupalorg-footer" class="block block-drupalorg-crosssite"> <div class="block-inner"> <div class="content"> <h4 class="element-invisible">News items</h4><ul class="drupal-news"><li class="0 first"><a href="https://www.drupal.org/news">News</a></li> <li class="1"><a href="https://www.drupal.org/planet" title="News from Drupal community members">Planet Drupal</a></li> <li class="2"><a href="https://www.drupal.org/about/media-kit/social-media" title="Drupal on social media">Social media</a></li> <li class="3"><a href="https://www.drupal.org/subscribe">Sign up for Drupal news</a></li> <li class="4"><a href="https://www.drupal.org/security" title="Announcements from the Drupal Security Team">Security advisories</a></li> <li class="5 last"><a href="https://jobs.drupal.org/" title="Drupal Jobs">Jobs</a></li> </ul><h4 class="element-invisible">Our community</h4><ul class="community"><li class="0 first"><a href="https://www.drupal.org/community">Community</a></li> <li class="1"><span><a href="https://www.drupal.org/drupal-services" title="People and organizations offering Drupal services">Services</a>, <a href="https://www.drupal.org/training" title="People and organizations offering Drupal training">Training</a> & <a href="https://www.drupal.org/hosting" title="Organizations offering Drupal hosting">Hosting</a></span></li> <li class="2"><a href="https://www.drupal.org/community/contributor-guide">Contributor guide</a></li> <li class="3"><a href="https://groups.drupal.org/groups" title="groups.drupal.org">Groups & meetups</a></li> <li class="4"><a href="https://events.drupal.org" title="Upcoming and past DrupalCons">DrupalCon</a></li> <li class="5 last"><a href="https://www.drupal.org/dcoc" title="Drupal code of conduct">Code of conduct</a></li> </ul><h4 class="element-invisible">Documentation</h4><ul class="get-started"><li class="0 first"><a href="https://www.drupal.org/documentation" title="Documentation for working with Drupal">Documentation</a></li> <li class="1"><a href="https://www.drupal.org/docs">Drupal Guide</a></li> <li class="2"><a href="https://www.drupal.org/docs/user_guide/en/index.html">Drupal User Guide</a></li> <li class="3"><a href="https://www.drupal.org/documentation/develop">Developer docs</a></li> <li class="4 last"><a href="https://api.drupal.org/" title="Drupal API reference">API.Drupal.org</a></li> </ul><h4 class="element-invisible">Drupal code base</h4><ul class="download-extend"><li class="0 first"><a href="https://www.drupal.org/download">Download & Extend</a></li> <li class="1"><a href="https://www.drupal.org/project/drupal" title="Download the latest version of the Drupal software">Drupal core</a></li> <li class="2"><a href="https://www.drupal.org/project/project_module" title="Download add-on features and functionality">Modules</a></li> <li class="3"><a href="https://www.drupal.org/project/project_theme" title="Download pre-designed styles for Drupal">Themes</a></li> <li class="4 last"><a href="https://www.drupal.org/project/project_distribution" title="Download a pre-packaged Drupal site">Distributions</a></li> </ul><h4 class="element-invisible">Governance of community</h4><ul class="about"><li class="0 first"><a href="https://www.drupal.org/about">About</a></li> <li class="1"><a href="https://www.drupal.org/about/features/accessibility" title="Our committment to accessibility">Web accessibility</a></li> <li class="2"><a href="https://www.drupal.org/association" title="About the Drupal Association">Drupal Association</a></li> <li class="3"><a href="https://www.drupal.org/drupalorg" title="About Drupal.org">About Drupal.org</a></li> <li class="4"><a href="https://www.drupal.org/terms" title="Drupal.org terms of service">Terms of service</a></li> <li class="5 last"><a href="https://www.drupal.org/privacy" title="Drupal.org privacy policy">Privacy policy</a></li> </ul> </div> </div> </div> <div id="block-block-77" class="block block-block"> <div class="block-inner"> <div class="content"> <p>Drupal is a <a href="/about/trademark">registered trademark</a> of <a href="https://dri.es">Dries Buytaert</a>.</p> </div> </div> </div> </div> </div> <div class="region region-page-bottom"> <script type="text/javascript"> (function(){ window._pxAppId = 'PXVnPBBfwe'; window._pxParam2 = ''; window._pxParam3 = '0'; var p = document.getElementsByTagName('script')[0], s = document.createElement('script'); s.async = 1; s.src = '/VnPBBfwe/init.js'; p.parentNode.insertBefore(s,p); }()); </script> <noscript> <div style="position:fixed; top:0; left:0; display:none" width="1" height="1"> <img src="/VnPBBfwe/xhr/api/v1/collector/noScript.gif?appId=PXVnPBBfwe"> </div> </noscript> </div> <script type="text/javascript" src="/files/advagg_js/js__B0FBwiP97ZnD38IFraZus4upS4KVkMXI3ou0fJ2ZXGA__pPDESRJz9GHsxqQIwQ_V8xnFYEH5jipG2eicsfrdWCs__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script>    <script type="text/javascript" src="/files/advagg_js/js__79M6UrZjAw3oNGnUjsWip12JsvnUZmJGA3h9LI0kuzE__J0sbXAJNry2-C_ZL2xd0RdVuzwTLvwN-UisIv5RNCvU__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer" onload="if(jQuery.isFunction(jQuery.holdReady)){jQuery.holdReady(true);}"></script>  <script type="text/javascript" src="/files/advagg_js/js__pqoYaVR8NVhof-vNXe50j2TKhFv__IihVag_h4G6kus__B4mbn4wICLQjWm1m3-z1kw8F1FtP0cDAHKp00Xy_-88__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script> <script type="text/javascript" src="/files/advagg_js/js__H5AFmq1RrXKsrazzPq_xPQPy4K0wUKqecPjczzRiTgQ__wor4r9P8YTtQ7p6fbywTetZ47Z_orumIfrrhgxrpLus__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer" onload=" function advagg_mod_1() { // Count how many times this function is called. advagg_mod_1.count = ++advagg_mod_1.count || 1; try { if (advagg_mod_1.count <= 40) { init_drupal_core_settings(); // Set this to 100 so that this function only runs once. advagg_mod_1.count = 100; } } catch(e) { if (advagg_mod_1.count >= 40) { // Throw the exception if this still fails after running 40 times. throw e; } else { // Try again in 1 ms. window.setTimeout(advagg_mod_1, 1); } } } function advagg_mod_1_check() { if (window.init_drupal_core_settings && window.jQuery && window.Drupal) { advagg_mod_1(); } else { window.setTimeout(advagg_mod_1_check, 1); } } advagg_mod_1_check();"></script> <script type="text/javascript" src="/files/advagg_js/js__Oc0wwB7MVRfxtYw6EQM7d9sXj9PAQePoWSzQJ0uTk6c__iXqOGoaPhZHCPEspUr5BC8BwOx5P8B11xv7VOhoUii8__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script> <script type="text/javascript" src="/files/advagg_js/js__FabcJ6qluktliDejymsuV-FqaN_HyMKGe93c2rO9Ky0__el1ZLGkKneOoCS6OWa01WHuIEsTsXZ46MRLCF390Fbw__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script> <script type="text/javascript" src="/files/advagg_js/js__YT6D1B_BKxvm6JCH_t9sZNI5L6yITa_DlU5QcSlOkAU__OXobH7d1IP1o3WABlniIrU_-pcJacVSIPUv9bpD-6pQ__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script> <script type="text/javascript" src="/files/advagg_js/js__xNXZEl6CREO_N4cX50nXAG3o3PPW1f2SzBBHY8rEKV8__vTuPvw9kFyhvW1mq6Cl_PG3exxZo1gi4hMxmKe9QZUI__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script> <script type="text/javascript" src="/files/advagg_js/js__pLKQd4r7OrHglE7Qkqw53K2UXCqQdhqQ9v0cz7hMCQY__OErfYuQdGbFHcCoLoUW_ESSvaumApNojzjJit8-2xcw__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script> <script type="text/javascript" src="/files/advagg_js/js__hHUWFbMAa11eJtx5V0ym9o0YBsB1udk34qUT5wr1ihI__ntICfIdx3SsBpfvYB8AF0VuFk7gZjQgBaS1C9CyMj6o__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script> <script type="text/javascript"> <![CDATA[//><!]]> </script> <script type="text/javascript" src="/files/advagg_js/js__2k0CJ3KAQNFTFab3y6ZvNtxs3HLons0Brq7VwvPSkKo__RYlZCliQTuN7U7I5I1Xhn1dAop17g2hAft1wVGgKHGA__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script> <script type="text/javascript" src="/files/advagg_js/js__vj0LjvNwl-3K1P9LGT4BGuXCZcAovYsVlVmoJN3TMRg__KW8SiGceRY3sjIKVrffDjf2MK4A5Vp3EDDxVO-4pegI__YaNGWokqa69Wq8hHbkE322PVJ8I-GmpfBsT8LGsMpcI.js" defer="defer"></script> </body> </html>