Tag1 D7ES Security Advisories

The Username Enumeration Prevention module lacked flood control in password validation, allowing potential username enumeration through rapid password reset requests.

This vulnerability allows attackers to inject arbitrary properties into the JavaScript Object.prototype.

The Protected Pages modules doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

The TFA Basic plugins module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.

The etracker module integrates etracker's statistics tracking solution. The Drupal 7 version of the module doesn't sufficiently verify account key form field validation against cross-site scripting attacks.

The EU Cookie Compliance module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page.

The Facebook Pixel module integrates with Facebook analytics. The Drupal 7 version of the module does not sufficiently protect its configuration against cross-site scripting attacks.

The Commerce Paybox module integrates with Verifone e-commerce for accepting online payments. A payment bypass vulnerability could be exploited to mark a payment as done and flag an order as completed, without the user actually entering a credit card number.

Stage File Proxy is a solution for transferring production files to a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them.

The Filebrowser module allows users to browse a list of files in specific directories. This module and its directory listing node type should only be used by users with elevated user access.