Tag1 D7ES Announcements

The Form Builder module provides an interface for editing and configuring forms. The module doesn't sufficiently sanitize JSON data, allowing persistent Cross Site Scripting (XSS) attacks.

The Access code module allows site visitors to log in using an access code instead of entering username and password. The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

The Mail System module provides an Administrative UI and Developers API for managing a mail backend or plugin. The module is susceptible to a PHP injection vulnerability.

Global Redirect is a module that provides support for clean URLs, paths, and aliases. It is susceptible to a Server Side Request Forgery (SSRF) when used in combination with remote_stream_wrapper project.

The SMTP module allows Drupal to bypass the PHP mail() function and send email directly to an SMTP server. It is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer library.

The link module provides a standard custom content field for links. This release is a backport of SA-CORE-2025-004, with the addition of a hook_update to register the new sanitization PHP class in Drupal 7's class registry.

This module enables your site to obfuscate Email addresses and prevent spambots to collect them. The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability.

The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.