This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.

 

Node Reference Create - Moderately Critical - Access Bypass

Date
Severity
Moderately Critical
Affected versions
<7.x-1.1
The Node Reference Create module does not verify whether the current user has permission to create the referenced content type before saving a new node via its autocomplete widget, allowing any authenticated user with access to a referencing form to create nodes without the corresponding permission.

CAPTCHA - Moderately Critical - Brute Force Protection Bypass

Date
Severity
Moderately Critical
Affected versions
<7.x-1.8
When a CAPTCHA protects a form that has additional validation (such as the user login form), an incorrect CAPTCHA answer does not suppress the form's other validation errors. This lets an attacker read those errors without ever solving a CAPTCHA, defeating the brute-force protection and enabling enumeration of credentials or other field values.

Add To Calendar Button (AddEvent.com) - Critical - Cross Site Scripting

Date
Severity
Critical
Affected versions
<7.x-1.2
The Add To Calendar module outputs calendar event data (title, description, location, organizer, dates, timezone, and privacy) into HTML "" tags without sanitization, allowing users with content editing permissions to inject arbitrary JavaScript via those fields.

Image Editor - Moderately Critical - Server-Side Request Forgery

Date
Severity
Moderately Critical
Affected versions
<7.x-1.13
The Image Editor module fetches image URLs supplied by the user in GET/POST parameters without validating the destination host, allowing an authenticated user to cause the server to make requests to internal network resources, including cloud metadata endpoints and loopback services.

Basic HTTP Authentication - Moderately Critical - Insufficiently Protected Credentials

Date
Severity
Moderately Critical
Affected versions
<7.x-1.5
The Basic HTTP Authentication module stored HTTP Basic HTTP Authentication passwords as plaintext in the database and rendered them in the HTML source of the admin configuration form, exposing credentials to any user with administrator access.

Field API Pane Editor (FAPE) - Moderately Critical - Access Bypass

Date
Severity
Moderately Critical
Affected versions
<7.x-1.3
The Field API Pane Editor module exposed its field edit route to all users, including anonymous users, by omitting a proper access callback. An attacker could reach the field edit controller without authentication, though secondary entity and field access checks within the controller still limited practical exploitation.