This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.

 

OpenID Connect - Moderately Critical - Access Bypass

Date
Severity
Moderately Critical
Affected versions
<7.x-1.4
The OpenID Connect module introduced a prompt parameter configuration that, when misconfigured, could potentially weaken authentication security by allowing users to bypass certain authentication requirements through OpenID Connect identity providers.

OpenID Connect - Moderately Critical - Server Side Request Forgery

Date
Severity
Moderately Critical
Affected versions
<7.x-1.4
The OpenID Connect module contained a Server Side Request Forgery (SSRF) vulnerability in its user picture handling functionality, allowing attackers to force the server to make HTTP requests to arbitrary URLs through malicious user picture URLs.

Taxonomy Term Reference Tree Widget - Moderately Critical - Cross Site Scripting

Date
Severity
Moderately Critical
Affected versions
<7.x-1.12
The Term Reference Tree Widget module contained a Cross-Site Scripting (XSS) vulnerability in its tree list output function, allowing malicious users to inject JavaScript code through unsanitized token replacement and improper URI handling.