This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.

 

Flag - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-011

Date
Severity
Moderately Critical
Affected versions
<7.x-3.10
The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028

Date
Severity
Moderately Critical
Affected versions
< 7.x-1.2
The Access code module allows site visitors to log in using an access code instead of entering username and password. The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

Link - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Date
Severity
Moderately Critical
Affected versions
< 7.x-1.13
The link module provides a standard custom content field for links. This release is a backport of SA-CORE-2025-004, with the addition of a hook_update to register the new sanitization PHP class in Drupal 7's class registry.

Global Redirect - Moderately critical - Server Side Request Forgery

Date
Severity
Moderately Critical
Affected versions
<=7.x-1.6
Global Redirect is a module that provides support for clean URLs, paths, and aliases. It is susceptible to a Server Side Request Forgery (SSRF) when used in combination with remote_stream_wrapper project.

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

Date
Severity
Moderately Critical
Affected versions
7.x-1.0-alpha12
The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.