Tag1 D7ES Security Advisories

The Commerce Paybox module integrates with Verifone e-commerce for accepting online payments. A payment bypass vulnerability could be exploited to mark a payment as done and flag an order as completed, without the user actually entering a credit card number.

Stage File Proxy is a solution for transferring production files to a development server on demand. The module doesn't sufficiently validate the existence of remote files prior to attempting to download and create them.

The Colorbox module allows images, iframed, or inline content to be displayed in a modal above the current page. It doesn't sufficiently sanitize data attributes before opening modals.

Mailjet is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer & Guzzle library.

The module doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow specially crafted HTML to result in Cross Site Scripting.

The Form Builder module provides an interface for editing and configuring forms. The module doesn't sufficiently sanitize JSON data, allowing persistent Cross Site Scripting (XSS) attacks.

The Access code module allows site visitors to log in using an access code instead of entering username and password. The module doesn't sufficiently protect against brute force attacks to guess a user's access code.

The link module provides a standard custom content field for links. This release is a backport of SA-CORE-2025-004, with the addition of a hook_update to register the new sanitization PHP class in Drupal 7's class registry.

The SMTP module allows Drupal to bypass the PHP mail() function and send email directly to an SMTP server. It is susceptible to multiple upstream vulnerabilities from its use of the embedded PHPMailer library.

Global Redirect is a module that provides support for clean URLs, paths, and aliases. It is susceptible to a Server Side Request Forgery (SSRF) when used in combination with remote_stream_wrapper project.