This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.

 

Boolean Field - Less Critical - Cross Site Scripting

Date
Severity
Less Critical
Affected versions
<7.x-1.2
The Boolean module fails to sanitize admin-configured prefix and suffix strings before rendering them in the field formatter, allowing a user with field administration privileges to inject arbitrary HTML or JavaScript that executes in the browser of any visitor viewing content with that field.

AntiSpam - Moderately Critical - Access Bypass

Date
Severity
Moderately Critical
Affected versions
<7.x-1.9
A logic error in `antispam_access_callback()` causes the spam-moderator permission check to never execute, allowing any authenticated user to perform spam moderation operations (marking content as spam, publishing/unpublishing) regardless of their role.

Friendly Register - Moderately Critical - Cross-Site Request Forgery

Date
Severity
Moderately Critical
Affected versions
<7.x-1.3
The Friendly Register module exposed unauthenticated AJAX endpoints for checking username and email availability without CSRF token validation, allowing any external site or script to enumerate valid usernames and email addresses on the Drupal site.

CAPTCHA - Moderately Critical - Brute Force Protection Bypass

Date
Severity
Moderately Critical
Affected versions
<7.x-1.8
When a CAPTCHA protects a form that has additional validation (such as the user login form), an incorrect CAPTCHA answer does not suppress the form's other validation errors. This lets an attacker read those errors without ever solving a CAPTCHA, defeating the brute-force protection and enabling enumeration of credentials or other field values.

Facebook Wall - Critical - Cross-Site Scripting

Date
Severity
Critical
Affected versions
<7.x-1.12
The Facebook Wall module renders post messages, story text, link names, captions, descriptions, commenter names, and comment messages from the Facebook Graph API without sanitization, allowing any Facebook user who can post or comment on the displayed page to inject arbitrary JavaScript into the Drupal site. URLs from API responses (post links, images, video sources) are also output without sanitization.

Node Reference Create - Moderately Critical - Access Bypass

Date
Severity
Moderately Critical
Affected versions
<7.x-1.1
The Node Reference Create module does not verify whether the current user has permission to create the referenced content type before saving a new node via its autocomplete widget, allowing any authenticated user with access to a referencing form to create nodes without the corresponding permission.

Google AdSense integration - Moderately Critical - Missing Flood Control on Click Tracking Endpoint

Date
Severity
Moderately Critical
Affected versions
<7.x-1.15
The adsense_click module exposed a fully public click tracking endpoint with no rate limiting, allowing any unauthenticated user or bot to flood the "adsense_clicks" database table with arbitrary fake records, potentially exhausting database storage and corrupting click analytics.

Fit Text - Moderately Critical - Cross Site Scripting

Date
Severity
Moderately Critical
Affected versions
<7.x-1.1
The Fit Text module embeds admin-supplied jQuery selectors directly into inline JavaScript without encoding, allowing a user with the "administer fittext" permission to inject arbitrary JavaScript that executes in every site visitor's browser on every page load.