Tag1 D7ES Announcements

D7ES PSA relating to Open Atrium Angular

Date

June 25, 2025

Open Atrium includes AngularJS version 1.3.7, bundled directly within its custom Angular module, not loaded via Drupal’s libraries system. This version of AngularJS is vulnerable. Site owners should review their usage of affected projects and make a remediation plan.

Read more about D7ES PSA relating to Open Atrium Angular

D7ES PSA related to Internationalization Node (i18n_node)

Date

June 11, 2025

Tag1 D7ES recommends you restrict access to trusted roles with the Administer content translations permission similar to if that permission were tagged with restricted access.

Read more about D7ES PSA related to Internationalization Node (i18n_node)

Facebook Pixel - Less critical - Cross Site Scripting

Project

Facebook PIxel

Date

June 04, 2025

Severity

Less Critical

Risk Score

9 ∕ 25 AC:None/A:Admin/CI:None/II:None/E:Theoretical/TD:All

Affected versions

<7.x-1.2

The Facebook Pixel module integrates with Facebook analytics. The Drupal 7 version of the module does not sufficiently protect its configuration against cross-site scripting attacks.

Read more about Facebook Pixel - Less critical - Cross Site Scripting

Filebrowser - Moderately Critical - Risk of data exposure

Project

Filebrowser

Date

May 28, 2025

Severity

Moderately Critical

Risk Score

10 ∕ 25 AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:All

Affected versions

All Drupal 7 versions are affected

The Filebrowser module allows users to browse a list of files in specific directories. This module and its directory listing node type should only be used by users with elevated user access.

Read more about Filebrowser - Moderately Critical - Risk of data exposure

Commerce Paybox - Moderately Critical - Payment bypass vulnerability

Project

Commerce Paybox

Date

May 28, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-1.6

The Commerce Paybox module integrates with Verifone e-commerce for accepting online payments. A payment bypass vulnerability could be exploited to mark a payment as done and flag an order as completed, without the user actually entering a credit card number.

Read more about Commerce Paybox - Moderately Critical - Payment bypass vulnerability

Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035

Project

Stage File Proxy

Date

May 28, 2025

Severity

Moderately Critical

Risk Score

11 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:Default

Affected versions

<7.x-1.11

Stage File Proxy is a solution for transferring production files to a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them.

Read more about Stage File Proxy - Moderately critical - Denial of Service - SA-CONTRIB-2025-035

D7ES PSA relating to 7.x PHPExcel

Date

May 28, 2025

Tag1 D7ES is marking the 7.x branch of the PHPExcel Drupal project as unsupported. Multiple vulnerabilities in this library are known. If you use this project, it is recommended that you uninstall it.

Read more about D7ES PSA relating to 7.x PHPExcel

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Project

Colorbox

Date

May 27, 2025

Severity

Moderately Critical

Risk Score

14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-2.20

The Colorbox module allows images, iframed, or inline content to be displayed in a modal above the current page. It doesn't sufficiently sanitize data attributes before opening modals.

Read more about Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Mailjet - Less critical - Multiple upstream vulnerabilities

Project

Mailjet

Date

May 21, 2025

Severity

Less Critical

Risk Score

7 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:All

Affected versions

<7.x02.24

Mailjet is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer & Guzzle library.

Read more about Mailjet - Less critical - Multiple upstream vulnerabilities

Flag - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-011

Project

Flag

Date

May 21, 2025

Severity

Moderately Critical

Risk Score

14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-3.10

The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.

Read more about Flag - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-011