Drupal core - Critical - JavaScript prototype pollution - BACKDROP-SA-CONTRIB-2025-015
Project
Date
Severity
Critical
Affected versions
<7.104
This vulnerability allows attackers to inject arbitrary properties into the JavaScript Object.prototype.
This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.
Tag1 D7ES Search API Solr Update
Date
Add Solr 9 support to a Drupal 7 site using Search API Solr.
Tag1 D7ES Apache Solr Update
Date
Add Solr 9 support to a Drupal 7 site using Apache Solr.
Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101
Project
Date
Severity
Moderately Critical
Affected versions
<7.x-2.5
The Protected Pages modules doesn't limit the number of password attempts, making it vulnerable to brute force attacks.
TFA Basic plugins - Less critical - Access bypass - SA-CONTRIB-2025-085
Project
Date
Severity
Less Critical
Affected versions
<7.x-1.3
The TFA Basic plugins module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.
etracker - Less critical - Cross Site Scripting
Project
Date
Severity
Less Critical
Affected versions
<7.x-2.1
The etracker module integrates etracker's statistics tracking solution. The Drupal 7 version of the module doesn't sufficiently verify account key form field validation against cross-site scripting attacks.
EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072
Date
Severity
Moderately Critical
Affected versions
<7.x-1.45
The EU Cookie Compliance module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page.
D7ES PSA relating to Open Atrium Angular
Date
Open Atrium includes AngularJS version 1.3.7, bundled directly within its custom Angular module, not loaded via Drupal’s libraries system. This version of AngularJS is vulnerable. Site owners should review their usage of affected projects and make a remediation plan.
D7ES PSA related to Internationalization Node (i18n_node)
Date
Tag1 D7ES recommends you restrict access to trusted roles with the Administer content translations permission similar to if that permission were tagged with restricted access.