This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.

 

Field Collection - Moderately Critical - Access Bypass

Date
Severity
Moderately Critical
Affected versions
<7.x-1.3
The Field Collection module granted users with the "edit field collections" permission unconditional access to field collection items, bypassing parent entity access checks entirely. A separate flaw allowed access when the host entity could not be loaded, as passing NULL to "entity_access()" may return TRUE for some entity types.

TableField - Moderately Critical - CSV Injection

Date
Severity
Moderately Critical
Affected versions
<7.x-3.6
The TableField module was vulnerable to CSV injection attacks where table cell values containing formula-starting characters were written to exported CSV files without sanitization, allowing malicious formulas to execute when the file was opened in a spreadsheet application.

FileField Sources - Moderately Critical - Server-Side Request Forgery

Date
Severity
Moderately Critical
Affected versions
<7.x-1.12
The FileField Sources module's remote URL source allows authenticated users to supply arbitrary URLs that are fetched via cURL. Before the fix, no restrictions prevented those URLs from targeting internal or reserved IP addresses, or from using non-HTTP schemes, enabling attackers to probe or interact with internal network services.

Flag - Moderately Critical - Missing Rate Limiting

Date
Severity
Moderately Critical
Affected versions
<7.x-3.11
The Flag module does not implement any rate limiting on flagging actions, allowing authenticated users to perform an unlimited number of flag operations in rapid succession. This can be used to flood the database, degrade site performance, and manipulate flag count statistics.

Login One Time - Less Critical - Information Disclosure

Date
Severity
Less Critical
Affected versions
<7.x-2.11
The module has been updated to use consistent error messaging for all login failure cases. Instead of using "drupal_access_denied()", the module now displays a generic error message: "You have tried to use a one-time login link that is invalid or has expired. Please use the log in form to supply your username and password." and redirects users to the login page.

LDAP Authentication - Moderately Critical - Information Disclosure

Date
Severity
Less Critical
Affected versions
<7.x-2.7
The LDAP Authentication module logged the LDAP bind password in plaintext to Drupal's watchdog system whenever a non-anonymous bind failed, potentially exposing service account credentials to anyone with access to the site's log reports.

OpenID Connect - Moderately Critical - Server Side Request Forgery

Date
Severity
Moderately Critical
Affected versions
<7.x-1.4
The OpenID Connect module contained a Server Side Request Forgery (SSRF) vulnerability in its user picture handling functionality, allowing attackers to force the server to make HTTP requests to arbitrary URLs through malicious user picture URLs.