Tag1 D7ES Announcements

This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.

Drupal core - Critical - JavaScript prototype pollution - BACKDROP-SA-CONTRIB-2025-015

Project

Drupal core

Date

November 12, 2025

Severity

Critical

Risk Score

Critical 16 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Default

Affected versions

<7.104

This vulnerability allows attackers to inject arbitrary properties into the JavaScript Object.prototype.

Read more about Drupal core - Critical - JavaScript prototype pollution - BACKDROP-SA-CONTRIB-2025-015

Tag1 D7ES Drupal Core Update

Date

November 12, 2025

Add PHP 8.4 support to a Drupal 7 site.

Read more about Tag1 D7ES Drupal Core Update

Tag1 D7ES Search API Solr Update

Date

November 05, 2025

Add Solr 9 support to a Drupal 7 site using Search API Solr.

Read more about Tag1 D7ES Search API Solr Update

Tag1 D7ES Apache Solr Update

Date

November 05, 2025

Add Solr 9 support to a Drupal 7 site using Apache Solr.

Read more about Tag1 D7ES Apache Solr Update

Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

Project

Protected Pages

Date

October 08, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

Affected versions

<7.x-2.5

The Protected Pages modules doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

Read more about Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

TFA Basic plugins - Less critical - Access bypass - SA-CONTRIB-2025-085

Project

TFA Basic plugins

Date

August 20, 2025

Severity

Less Critical

Risk Score

9 ∕ 25 AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default

Affected versions

<7.x-1.3

The TFA Basic plugins module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.

Read more about TFA Basic plugins - Less critical - Access bypass - SA-CONTRIB-2025-085

etracker - Less critical - Cross Site Scripting

Project

etracker

Date

July 30, 2025

Severity

Less Critical

Risk Score

7 ∕ 25 AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All

Affected versions

<7.x-2.1

The etracker module integrates etracker's statistics tracking solution. The Drupal 7 version of the module doesn't sufficiently verify account key form field validation against cross-site scripting attacks.

Read more about etracker - Less critical - Cross Site Scripting

EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072

Project

EU Cookie Compliance (GDPR Compliance)

Date

July 02, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-1.45

The EU Cookie Compliance module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page.

Read more about EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072

D7ES PSA relating to Open Atrium Angular

Date

June 25, 2025

Open Atrium includes AngularJS version 1.3.7, bundled directly within its custom Angular module, not loaded via Drupal’s libraries system. This version of AngularJS is vulnerable. Site owners should review their usage of affected projects and make a remediation plan.

Read more about D7ES PSA relating to Open Atrium Angular

D7ES PSA related to Internationalization Node (i18n_node)

Date

June 11, 2025

Tag1 D7ES recommends you restrict access to trusted roles with the Administer content translations permission similar to if that permission were tagged with restricted access.

Read more about D7ES PSA related to Internationalization Node (i18n_node)

Subscribe to Tag1 D7ES Announcements