Tag1 D7ES Announcements

The Field API Pane Editor module exposed its field edit route to all users, including anonymous users, by omitting a proper access callback. An attacker could reach the field edit controller without authentication, though secondary entity and field access checks within the controller still limited practical exploitation.

The FileField Sources module's remote URL source allows authenticated users to supply arbitrary URLs that are fetched via cURL. Before the fix, no restrictions prevented those URLs from targeting internal or reserved IP addresses, or from using non-HTTP schemes, enabling attackers to probe or interact with internal network services.

The Login One Time module lacked flood control protection against brute force attacks on one-time login links, allowing attackers to make unlimited attempts to guess valid login parameters.

The Entity Reports module was vulnerable to CSV injection attacks where malicious formulas could be executed when exported CSV files were opened in spreadsheet applications.

The Export Logs module was vulnerable to CSV injection attacks where log field values containing formula-starting characters were written to CSV files without sanitization, allowing malicious formulas to execute when the exported file was opened in a spreadsheet application.

The TableField module was vulnerable to CSV injection attacks where table cell values containing formula-starting characters were written to exported CSV files without sanitization, allowing malicious formulas to execute when the file was opened in a spreadsheet application.

The HybridAuth Social Login module contained a Server Side Request Forgery (SSRF) vulnerability in its user picture handling functionality, allowing attackers to force the server to make HTTP requests to arbitrary URLs by supplying a malicious picture URL through a controlled social identity provider.

The Automated Logout module doesn't sufficiently protect its AJAX routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.

The module has been updated to use consistent error messaging for all login failure cases. Instead of using "drupal_access_denied()", the module now displays a generic error message: "You have tried to use a one-time login link that is invalid or has expired. Please use the log in form to supply your username and password." and redirects users to the login page.

The Flag module does not implement any rate limiting on flagging actions, allowing authenticated users to perform an unlimited number of flag operations in rapid succession. This can be used to flood the database, degrade site performance, and manipulate flag count statistics.