What Kinds of Security Problems Exist in Drupal?

As part of writing the book I did some analysis looking at all of the security announcements in the history of the Drupal project.

This pie chart shows which are the most common kinds of problems in the project:

security weaknesses in Drupal

As you can see, XSS is the most common issue - almost covering 50%. Access Bypass, CSRF, SQL Injection, and Code Execution are the next most common making up a about a quarter of the weaknesses.

It's important to note that these are only vulnerabilities for which there has been a Security Announcement. Many more exist only on an individual site with improper configuration or a custom module or theme and can never be included in an analysis like this.

Comments

Impressiv graph

I didn´t have known that XSS is so much! Thank you for this amazing graph.

I'm really surprised that SQL

I'm really surprised that SQL Injection vulnerabilities are so frequent.