Tag1 D7ES Announcements

The Facebook Pixel module integrates with Facebook analytics. The Drupal 7 version of the module does not sufficiently protect its configuration against cross-site scripting attacks.

The Commerce Paybox module integrates with Verifone e-commerce for accepting online payments. A payment bypass vulnerability could be exploited to mark a payment as done and flag an order as completed, without the user actually entering a credit card number.

Stage File Proxy is a solution for transferring production files to a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them.

The Filebrowser module allows users to browse a list of files in specific directories. This module and its directory listing node type should only be used by users with elevated user access.

The Colorbox module allows images, iframed, or inline content to be displayed in a modal above the current page. It doesn't sufficiently sanitize data attributes before opening modals.

Mailjet is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer & Guzzle library.

The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.