Security update

Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064.

This is a security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

This is a security release of the Drupal 11 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063.

https://www.drupal.org/sa-contrib-2024-061

Along with other protections, this release adds the 'allowed_classes' => FALSE option to unserialize() when importing content using the relevant format.

See: https://www.php.net/manual/en/function.unserialize.php

If for any reason you need that protection to be removed, you can set a variable - for example in settings.php:

• Restrict the uploaded file to a list of configurable extensions.
• Limit the endpoint to basic authentication.

POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059.

POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060.