This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.

 

Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028

Project
Access code
Date
Severity
Moderately Critical
Risk Score
14 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
Affected versions
< 7.x-1.2
The Access code module allows site visitors to log in using an access code instead of entering username and password. The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

Link - Moderately critical - Cross Site Scripting - SA-CORE-2025-004

Project
Link
Date
Severity
Moderately Critical
Risk Score
13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
Affected versions
< 7.x-1.13
The link module provides a standard custom content field for links. This release is a backport of SA-CORE-2025-004, with the addition of a hook_update to register the new sanitization PHP class in Drupal 7's class registry.

Global Redirect - Moderately critical - Server Side Request Forgery

Project
Global Redirect
Date
Severity
Moderately Critical
Risk Score
10 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon
Affected versions
<=7.x-1.6
Global Redirect is a module that provides support for clean URLs, paths, and aliases. It is susceptible to a Server Side Request Forgery (SSRF) when used in combination with remote_stream_wrapper project.

SpamSpan filter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-016

Project
SpamSpan filter
Date
Severity
Moderately Critical
Risk Score
13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All
Affected versions
7.x-1.4
This module enables your site to obfuscate Email addresses and prevent spambots to collect them. The module doesn't sanitize HTML data attributes when an email address link is transformed to separate span HTML elements and then transformed back by JavaScript leading to a Cross Site Scripting (XSS) vulnerability.

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

Project
General Data Protection Regulation
Date
Severity
Moderately Critical
Risk Score
13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
Affected versions
7.x-1.0-alpha12
The GDPR Task submodule enables you to create GDPR tasks. The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.

D7ES PSA relating to SA-CORE-2025-002 impacting Views Bulk Operations (VBO)

Date
SA-CORE-2025-002 communicates a security issue introduced in Drupal 8+. This functionality in modern Drupal was heavily inspired by Views Bulk Operations, which exposes core Actions to be performed against nodes (and other entities). While it does not have the concept of permissions around Actions like in Drupal 8+, Views Bulk Operations (VBO) provides an actions_permissions sub-module. As a mitigation technique, this sub-module should be enabled and configured on Views that expose bulk operations.

Webform Multiple File Upload - Critical - Cross Site Scripting

Project
webform_multifile
Date
Severity
Critical
Risk Score
16/25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Affected versions
<7.x-1.7
The webform_multifile module allows user to upload multiple files on a webform. This vulnerability was originally patched by D7Security Group. This is a public release of the port of that patch, provided to Tag1 D7ES customers.
Subscribe to Tag1 D7ES Announcements