Tag1 D7ES Announcements

The Image Editor module fetches image URLs supplied by the user in GET/POST parameters without validating the destination host, allowing an authenticated user to cause the server to make requests to internal network resources, including cloud metadata endpoints and loopback services.

The Basic HTTP Authentication module stored HTTP Basic HTTP Authentication passwords as plaintext in the database and rendered them in the HTML source of the admin configuration form, exposing credentials to any user with administrator access.

The Field API Pane Editor module exposed its field edit route to all users, including anonymous users, by omitting a proper access callback. An attacker could reach the field edit controller without authentication, though secondary entity and field access checks within the controller still limited practical exploitation.

The FileField Sources module's remote URL source allows authenticated users to supply arbitrary URLs that are fetched via cURL. Before the fix, no restrictions prevented those URLs from targeting internal or reserved IP addresses, or from using non-HTTP schemes, enabling attackers to probe or interact with internal network services.

The Login One Time module lacked flood control protection against brute force attacks on one-time login links, allowing attackers to make unlimited attempts to guess valid login parameters.

The TableField module was vulnerable to CSV injection attacks where table cell values containing formula-starting characters were written to exported CSV files without sanitization, allowing malicious formulas to execute when the file was opened in a spreadsheet application.

The HybridAuth Social Login module contained a Server Side Request Forgery (SSRF) vulnerability in its user picture handling functionality, allowing attackers to force the server to make HTTP requests to arbitrary URLs by supplying a malicious picture URL through a controlled social identity provider.

The Automated Logout module doesn't sufficiently protect its AJAX routes from cross-site request forgery (CSRF), allowing the logout route to be triggered without user interaction.

The module has been updated to use consistent error messaging for all login failure cases. Instead of using "drupal_access_denied()", the module now displays a generic error message: "You have tried to use a one-time login link that is invalid or has expired. Please use the log in form to supply your username and password." and redirects users to the login page.

The Entity Reports module was vulnerable to CSV injection attacks where malicious formulas could be executed when exported CSV files were opened in spreadsheet applications.