Security Advisories and Policy
A security advisory is a public announcement managed by the DXPR team which informs site owners about a reported security problem in DXPR products and the steps site owners should take to address it. (Usually this involves updating to a new release of the code that fixes the security problem.) The problem is kept secret until the advisory is ready to be released, at which point it is publicized widely so that site owners can address it quickly.
When we publish a security advisory we will do so between 1pm and 2pm Amsterdam time (GMT+1) on a wednesday. We will release a security update at the same time. You can find all our published security advisories on our Security Advisories page.
Which Products are Covered?
The DXPR team covers DXPR Builder, DXPR Theme, and until April 15th 2021 our legacy products Glazed Builder and Glazed Theme are covered.
What About Vulnerabilities Which Require Advanced Permissions?
No security advisory is required is when an exploit requires one of the following permissions:
- Edit with DXPR Builder
- Administer filters
- Administer users
- Administer permissions
- Translate interface
- Any other permission that is defined with
restrict accessset to TRUE. For more information about
restrict accesssee PermissionHandler.php for Drupal 9 or hook_permission documentation for Drupal 7.
Any user with one of the above permissions can already take over the site or bypass various access restrictions on the site, so there is no meaningful added risk if a vulnerability is only accessible to a user with one of these permissions.
DXPR Builder is designed as a tool for marketing and communication professionals to edit pages and add rich content. Therefore the permission "Edit with DXPR Builder" should only be given to trusted users. DXPR Builder allows users to easily add embed codes to a page. The lack of filtering when using DXPR Builder is by design.