Tag1 D7ES Announcements

Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Project

Colorbox

Date

May 27, 2025

Severity

Moderately Critical

Risk Score

14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-2.20

The Colorbox module allows images, iframed, or inline content to be displayed in a modal above the current page. It doesn't sufficiently sanitize data attributes before opening modals.

Read more about Colorbox - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-041

Mailjet - Less critical - Multiple upstream vulnerabilities

Project

Mailjet

Date

May 21, 2025

Severity

Less Critical

Risk Score

7 ∕ 25 AC:Complex/A:User/CI:None/II:None/E:Theoretical/TD:All

Affected versions

<7.x02.24

Mailjet is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer & Guzzle library.

Read more about Mailjet - Less critical - Multiple upstream vulnerabilities

Flag - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-011

Project

Flag

Date

May 21, 2025

Severity

Moderately Critical

Risk Score

14 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-3.10

The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.

Read more about Flag - Moderately Critical - Cross Site Scripting - BACKDROP-SA-CONTRIB-2025-011

D7ES PSA relating to 7.x elFinder file manager

Date

May 14, 2025

Tag1 D7ES is marking the 7.x branch of the elfinder Drupal project as unsupported. There is at least one known security issue with its upstream dependencies that have not been addressed. If you use this project, it is recommended that you uninstall it.

Read more about D7ES PSA relating to 7.x elFinder file manager

Form Builder - Less critical - Cross Site Scripting

Project

Form Builder

Date

May 14, 2025

Severity

Less Critical

Risk Score

6 ∕ 25 AC:Complex/A:Admin/CI:None/II:None/E:Theoretical/TD:All

Affected versions

≤ 7.x-1.22, ≤ 7.x-2.0-alpha8

The Form Builder module provides an interface for editing and configuring forms. The module doesn't sufficiently sanitize JSON data, allowing persistent Cross Site Scripting (XSS) attacks.

Read more about Form Builder - Less critical - Cross Site Scripting

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028

Project

Access code

Date

May 14, 2025

Severity

Moderately Critical

Risk Score

14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default

Affected versions

< 7.x-1.2

The Access code module allows site visitors to log in using an access code instead of entering username and password. The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

Read more about Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028

Global Redirect - Moderately critical - Server Side Request Forgery

Project

Global Redirect

Date

May 07, 2025

Severity

Moderately Critical

Risk Score

10 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon

Affected versions

<=7.x-1.6

Global Redirect is a module that provides support for clean URLs, paths, and aliases. It is susceptible to a Server Side Request Forgery (SSRF) when used in combination with remote_stream_wrapper project.

Read more about Global Redirect - Moderately critical - Server Side Request Forgery

Link - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Project

Link

Date

May 07, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Affected versions

< 7.x-1.13

The link module provides a standard custom content field for links. This release is a backport of SA-CORE-2025-004, with the addition of a hook_update to register the new sanitization PHP class in Drupal 7's class registry.

Read more about Link - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

SMTP - Critical - Multiple Vulnerabilities

Project

SMTP Authentication Support

Date

May 07, 2025

Severity

Critical

Risk Score

15 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon

Affected versions

< 7.x-1.11

The SMTP module allows Drupal to bypass the PHP mail() function and send email directly to an SMTP server. It is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer library.

Read more about SMTP - Critical - Multiple Vulnerabilities

Mailsystem - Critical - PHP Injection

Project

Mail System

Date

May 07, 2025

Severity

Critical

Risk Score

15 ∕ 25 AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon

Affected versions

<=7.x-2.35

The Mail System module provides an Administrative UI and Developers API for managing a mail backend or plugin. The module is susceptible to a PHP injection vulnerability.

Read more about Mailsystem - Critical - PHP Injection