Tag1 D7ES Announcements

The Field Collection module granted users with the "edit field collections" permission unconditional access to field collection items, bypassing parent entity access checks entirely. A separate flaw allowed access when the host entity could not be loaded, as passing NULL to "entity_access()" may return TRUE for some entity types.

SAML SSO - Service Provider doesn't sufficiently block access, leading to a authentication bypass vulnerability.

The LDAP Authentication module logged the LDAP bind password in plaintext to Drupal's watchdog system whenever a non-anonymous bind failed, potentially exposing service account credentials to anyone with access to the site's log reports.

The OpenID Connect module introduced a prompt parameter configuration that, when misconfigured, could potentially weaken authentication security by allowing users to bypass certain authentication requirements through OpenID Connect identity providers.

The OpenID Connect module contained a Server Side Request Forgery (SSRF) vulnerability in its user picture handling functionality, allowing attackers to force the server to make HTTP requests to arbitrary URLs through malicious user picture URLs.

The OpenID Connect module contained an email uniqueness validation vulnerability that allowed duplicate user accounts to be created with email addresses that differ only in case, potentially leading to account confusion and authentication bypass scenarios.

The User Alert module contained an Insecure Direct Object Reference (IDOR) vulnerability in its message dismissal endpoint, allowing authenticated users to mark any node as dismissed without proper access control checks.

The Entityreference Filter module exposed an unprotected callback function that allowed unauthorized users to trigger entity reference filter updates without proper access control.

The Ajax Blocks module contained an access bypass vulnerability in its AJAX handler that could serve content from disabled or regionless blocks, potentially exposing content that should not be accessible to users.

The Login Disable module contained an access bypass vulnerability in its user login hook, allowing users to bypass the access key requirement through non-form login routes like Services or RESTful APIs.