SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018
Project
Date
Severity
Critical
Affected versions
<7.x-2.73
The SAML SSO - Service Provider module doesn't sufficiently sanitize user input.
This page displays all public Tag1 D7ES Security Advisories. Check out our Announcements page for all updates.
You can filter this list by project or subscribe to the RSS feed.
Taxonomy Term Reference Tree Widget - Moderately Critical - Cross Site Scripting
Date
Severity
Moderately Critical
Affected versions
<7.x-1.12
The Term Reference Tree Widget module contained a Cross-Site Scripting (XSS) vulnerability in its tree list output function, allowing malicious users to inject JavaScript code through unsanitized token replacement and improper URI handling.
Best Reply - Moderately Critical - Access Bypass
Project
Date
Severity
Moderately Critical
Affected versions
<7.x-1.6
The Best Reply module contained an access bypass vulnerability in its comment retrieval callback, allowing users to access comments on restricted content through insufficient access control validation.
Simple hierarchical select - Moderately Critical - Cross Site Scripting
Project
Date
Severity
Moderately Critical
Affected versions
<7.x-1.12
The Simple hierarchical select module contained a Cross-Site Scripting (XSS) vulnerability in its field formatter and term retrieval functions, allowing malicious users to inject JavaScript code through unsanitized term names.
File (Field) Paths - Moderately Critical - File Path Manipulation
Project
Date
Severity
Moderately Critical
Affected versions
<7.x-1.3
The File (Field) Paths module contained a file path manipulation vulnerability where file objects maintained inconsistent URI state after file move operations, potentially leading to file access issues and data corruption.
Username Enumeration Prevention - Moderate - Access Bypass
Date
Severity
Moderately Critical
Affected versions
<7.x-1.4
The Username Enumeration Prevention module lacked flood control in password validation, allowing potential username enumeration through rapid password reset requests.
Drupal core - Critical - JavaScript prototype pollution - BACKDROP-SA-CONTRIB-2025-015
Project
Date
Severity
Critical
Affected versions
<7.104
This vulnerability allows attackers to inject arbitrary properties into the JavaScript Object.prototype.
Protected Pages - Moderately critical - Access bypass - SA-CONTRIB-2025-101
Project
Date
Severity
Moderately Critical
Affected versions
<7.x-2.5
The Protected Pages modules doesn't limit the number of password attempts, making it vulnerable to brute force attacks.
TFA Basic plugins - Less critical - Access bypass - SA-CONTRIB-2025-085
Project
Date
Severity
Less Critical
Affected versions
<7.x-1.3
The TFA Basic plugins module does not sufficiently ensure that users with enhanced privileges are prevented from viewing recovery codes of other users.
etracker - Less critical - Cross Site Scripting
Project
Date
Severity
Less Critical
Affected versions
<7.x-2.1
The etracker module integrates etracker's statistics tracking solution. The Drupal 7 version of the module doesn't sufficiently verify account key form field validation against cross-site scripting attacks.