Tag1 D7ES Search API Solr Update
Date
Add Solr 9 support to a Drupal 7 site using Search API Solr.
This page displays all public Tag1 D7ES announcements, including security advisories and compatibility updates. You may filter below by announcement type, project, and subscribe to that customized RSS feed at the bottom of the page.
Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101
Project
Date
Severity
Moderately Critical
Affected versions
<7.x-2.5
The Protected Pages modules doesn't limit the number of password attempts, making it vulnerable to brute force attacks.
TFA Basic plugins - Less critical - Access bypass - SA-CONTRIB-2025-085
Project
Date
Severity
Less Critical
Affected versions
<7.x-1.3
The TFA Basic plugins module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.
etracker - Less critical - Cross Site Scripting
Project
Date
Severity
Less Critical
Affected versions
<7.x-2.1
The etracker module integrates etracker's statistics tracking solution. The Drupal 7 version of the module doesn't sufficiently verify account key form field validation against cross-site scripting attacks.
EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072
Date
Severity
Moderately Critical
Affected versions
<7.x-1.45
The EU Cookie Compliance module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page.
D7ES PSA relating to Open Atrium Angular
Date
Open Atrium includes AngularJS version 1.3.7, bundled directly within its custom Angular module, not loaded via Drupal’s libraries system. This version of AngularJS is vulnerable. Site owners should review their usage of affected projects and make a remediation plan.
D7ES PSA related to Internationalization Node (i18n_node)
Date
Tag1 D7ES recommends you restrict access to trusted roles with the Administer content translations permission similar to if that permission were tagged with restricted access.
Facebook Pixel - Less critical - Cross Site Scripting
Project
Date
Severity
Less Critical
Affected versions
<7.x-1.2
The Facebook Pixel module integrates with Facebook analytics. The Drupal 7 version of the module does not sufficiently protect its configuration against cross-site scripting attacks.
Filebrowser - Moderately Critical - Risk of data exposure
Project
Date
Severity
Moderately Critical
Affected versions
All Drupal 7 versions are affected
The Filebrowser module allows users to browse a list of files in specific directories. This module and its directory listing node type should only be used by users with elevated user access.
Commerce Paybox - Moderately Critical - Payment bypass vulnerability
Project
Date
Severity
Moderately Critical
Affected versions
<7.x-1.6
The Commerce Paybox module integrates with Verifone e-commerce for accepting online payments. A payment bypass vulnerability could be exploited to mark a payment as done and flag an order as completed, without the user actually entering a credit card number.