Tag1 D7ES Announcements

Form Builder - Less critical - Cross Site Scripting

Project

Form Builder

Date

May 14, 2025

Severity

Less Critical

Risk Score

6 ∕ 25 AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:All

Affected versions

≤ 7.x-1.22, ≤ 7.x-2.0-alpha8

The Form Builder module provides an interface for editing and configuring forms. The module doesn't sufficiently sanitize JSON data, allowing persistent Cross Site Scripting (XSS) attacks.

Read more about Form Builder - Less critical - Cross Site Scripting

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028

Project

Access code

Date

May 14, 2025

Severity

Moderately Critical

Risk Score

14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

Affected versions

< 7.x-1.2

The Access code module allows site visitors to log in using an access code instead of entering username and password. The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

Read more about Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028

D7ES PSA relating to 7.x elFinder file manager

Date

May 14, 2025

Tag1 D7ES is marking the 7.x branch of the elfinder Drupal project as unsupported. There is at least one known security issue with its upstream dependencies that have not been addressed. If you use this project, it is recommended that you uninstall it.

Read more about D7ES PSA relating to 7.x elFinder file manager

Link - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Project

Link

Date

May 07, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Affected versions

< 7.x-1.13

The link module provides a standard custom content field for links. This release is a backport of SA-CORE-2025-004, with the addition of a hook_update to register the new sanitization PHP class in Drupal 7's class registry.

Read more about Link - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

SMTP - Critical - Multiple Vulnerabilities

Project

SMTP Authentication Support

Date

May 07, 2025

Severity

Critical

Risk Score

15 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

Affected versions

< 7.x-1.11

The SMTP module allows Drupal to bypass the PHP mail() function and send email directly to an SMTP server. It is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer library.

Read more about SMTP - Critical - Multiple Vulnerabilities

Global Redirect - Moderately critical - Server Side Request Forgery

Project

Global Redirect

Date

May 07, 2025

Severity

Moderately Critical

Risk Score

10 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon

Affected versions

<=7.x-1.6

Global Redirect is a module that provides support for clean URLs, paths, and aliases. It is susceptible to a Server Side Request Forgery (SSRF) when used in combination with remote_stream_wrapper project.

Read more about Global Redirect - Moderately critical - Server Side Request Forgery

Mailsystem - Critical - PHP Injection

Project

Mail System

Date

May 07, 2025

Severity

Critical

Risk Score

15 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon

Affected versions

<=7.x-2.35

The Mail System module provides an Administrative UI and Developers API for managing a mail backend or plugin. The module is susceptible to a PHP injection vulnerability.

Read more about Mailsystem - Critical - PHP Injection

D7ES PSA relating to SA-CORE-2025-002 impacting Views Bulk Operations (VBO)

Date

April 09, 2025

SA-CORE-2025-002 communicates a security issue introduced in Drupal 8+. This functionality in modern Drupal was heavily inspired by Views Bulk Operations, which exposes core Actions to be performed against nodes (and other entities). While it does not have the concept of permissions around Actions like in Drupal 8+, Views Bulk Operations (VBO) provides an actions_permissions sub-module. As a mitigation technique, this sub-module should be enabled and configured on Views that expose bulk operations.

Read more about D7ES PSA relating to SA-CORE-2025-002 impacting Views Bulk Operations (VBO)

D7ES PSA relating to SA-CONTRIB-2023-033 impacting Piwik

Date

April 09, 2025

SA-CONTRIB-2023-033 communicates a security issue in the Matomo Analytics module. Users of Piwik 7.x-2.11 and earlier should either update to 7.x-2.12 or take care to ensure that this permission is granted only to trusted users.

Read more about D7ES PSA relating to SA-CONTRIB-2023-033 impacting Piwik

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

Project

General Data Protection Regulation

Date

April 09, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

Affected versions

7.x-1.0-alpha12

The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.

Read more about General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018