- Advisory ID: DRUPAL-SA-CONTRIB-2017-38
- Project: References (third-party module)
- Date: 12-Apr-2017
Description
Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.
This project provides D7 versions of the ‘node_reference’ and ‘user_reference’ field types, that were part of the CCK package in D6, at functional parity with the D6 counterparts.
The security team is marking this module unsupported. There is a known security issue with the module that has not been fixed by the maintainer. If you would like to maintain this module, please read: https://www.drupal.org/node/251466
Versions affected
- All versions
Drupal core is not affected. If you do not use the contributed References module, there is nothing you need to do.
Solution
If you use the References module for Drupal you should uninstall it.
Also see the References project page.
Notably, if you started with References and need to maintain equivalent functionality, we recommend reviewing the feature set of Entity Reference. If Entity Reference can work for you, there is a Reference to EntityReference Field Migration module that can assist in the transition.
Reported by
- Cash Williams of the Drupal Security Team
Fixed by
Not applicable
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity