Tag1 D7ES Security Advisories

Best Reply - Moderately Critical - Access Bypass

Project

Best Reply

Date

March 04, 2026

Severity

Moderately Critical

Risk Score

13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-1.6

The Best Reply module contained an access bypass vulnerability in its comment retrieval callback, allowing users to access comments on restricted content through insufficient access control validation.

Read more about Best Reply - Moderately Critical - Access Bypass

Simple hierarchical select - Moderately Critical - Cross Site Scripting

Project

Simple hierarchical select

Date

March 04, 2026

Severity

Moderately Critical

Risk Score

13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-1.12

The Simple hierarchical select module contained a Cross-Site Scripting (XSS) vulnerability in its field formatter and term retrieval functions, allowing malicious users to inject JavaScript code through unsanitized term names.

Read more about Simple hierarchical select - Moderately Critical - Cross Site Scripting

Username Enumeration Prevention - Moderate - Access Bypass

Project

Username Enumeration Prevention

Date

January 21, 2026

Severity

Moderately Critical

Risk Score

13/25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

Affected versions

<7.x-1.4

The Username Enumeration Prevention module lacked flood control in password validation, allowing potential username enumeration through rapid password reset requests.

Read more about Username Enumeration Prevention - Moderate - Access Bypass

Drupal core - Critical - JavaScript prototype pollution - BACKDROP-SA-CONTRIB-2025-015

Project

Drupal core

Date

November 12, 2025

Severity

Critical

Risk Score

Critical 16 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Default

Affected versions

<7.104

This vulnerability allows attackers to inject arbitrary properties into the JavaScript Object.prototype.

Read more about Drupal core - Critical - JavaScript prototype pollution - BACKDROP-SA-CONTRIB-2025-015

Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

Project

Protected Pages

Date

October 08, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All

Affected versions

<7.x-2.5

The Protected Pages modules doesn't limit the number of password attempts, making it vulnerable to brute force attacks.

Read more about Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101

TFA Basic plugins - Less critical - Access bypass - SA-CONTRIB-2025-085

Project

TFA Basic plugins

Date

August 20, 2025

Severity

Less Critical

Risk Score

9 ∕ 25 AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:Default

Affected versions

<7.x-1.3

The TFA Basic plugins module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.

Read more about TFA Basic plugins - Less critical - Access bypass - SA-CONTRIB-2025-085

etracker - Less critical - Cross Site Scripting

Project

etracker

Date

July 30, 2025

Severity

Less Critical

Risk Score

7 ∕ 25 AC:Basic/A:Admin/CI:None/II:None/E:Theoretical/TD:All

Affected versions

<7.x-2.1

The etracker module integrates etracker's statistics tracking solution. The Drupal 7 version of the module doesn't sufficiently verify account key form field validation against cross-site scripting attacks.

Read more about etracker - Less critical - Cross Site Scripting

EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072

Project

EU Cookie Compliance (GDPR Compliance)

Date

July 02, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-1.45

The EU Cookie Compliance module doesn't sufficiently verify whether "disabled JavaScript" entries are valid or correspond to actual scripts on the page.

Read more about EU Cookie Compliance (GDPR Compliance) - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-072

Facebook Pixel - Less critical - Cross Site Scripting

Project

Facebook PIxel

Date

June 04, 2025

Severity

Less Critical

Risk Score

9 ∕ 25 AC:None/A:Admin/CI:None/II:None/E:Theoretical/TD:All

Affected versions

<7.x-1.2

The Facebook Pixel module integrates with Facebook analytics. The Drupal 7 version of the module does not sufficiently protect its configuration against cross-site scripting attacks.

Read more about Facebook Pixel - Less critical - Cross Site Scripting

Commerce Paybox - Moderately Critical - Payment bypass vulnerability

Project

Commerce Paybox

Date

May 28, 2025

Severity

Moderately Critical

Risk Score

13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-1.6

The Commerce Paybox module integrates with Verifone e-commerce for accepting online payments. A payment bypass vulnerability could be exploited to mark a payment as done and flag an order as completed, without the user actually entering a credit card number.

Read more about Commerce Paybox - Moderately Critical - Payment bypass vulnerability