Learn how the Event Platform module simplified building the DrupalCamp Berlin 2024 website, its key features, benefits, and potential for improvements.
Peter Pónya
Thu, 11/21/2024 - 12:30
AI Chatbot demo with Drupal and RAG
At DrupalCon Barcelona, we were amazed to see all the powerful and functional Drupal AI integrations in action. I have been following the development closely, and after the recent release announcement of the AI (Artificial Intelligence) module, we decided to recreate one of its use cases: a RAG chatbot enabling semantic search.
Headless CMS allows flexible data exposure for different applications. In systems like Drupal, this concept becomes especially important for teams that want to build modern applications with a separate frontend layer. In this blog post, you'll see the process of exposing Drupal data using the REST API and JSON API. You'll also discover how to customize views, generate content, and manage settings to ensure seamless collaboration with frontend frameworks.
Well, it's official. My Drupal Lenient Composer Plugin has allowed the lenient Composer repository endpoint on Drupal.org to be sunset and removed. I created the mglaman/composer-drupal-lenient repository two years ago at DrupalCon Portland. It is pretty wild how much it has been adopted in just two years. Not only has it allowed the Drupal Association to dismantle some infrastructure, but it is also baked into the Drupal.org GitLab CI. The package is pushing over 3,000,000 downloads from Packagist!
Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation.
As a result, a user may be able to register with the same email address as another user.
This may lead to data integrity issues.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Updating Drupal will not solve potential issues with existing accounts affected by this bug. See Fixing emails that vary only by case for additional guidance.
Reported By: Fixed By:Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.
Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.
Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By:Drupal 7 core's Overlay module doesn't safely handle user input, leading to reflected cross-site scripting under certain circumstances.
Only sites with the Overlay module enabled are affected by this vulnerability.
Solution:Install the latest version:
Drupal 10 and Drupal 11 are not affected, as the Overlay module was removed from Drupal core in Drupal 8.
Reported By: Fixed By:Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized.
Solution:Install the latest version:
All versions of Drupal 10 prior to 10.2 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)
Reported By: Fixed By: