Tag1 D7ES Announcements

Coffee - Moderately Critical - Cross Site Scripting

Project

Coffee 7.x-2.3

Date

February 26, 2025

Severity

Moderately Critical

Risk Score

13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

≤7.x-2.3

The Coffee module helps you to navigate through the Drupal admin faster, inspired by Alfred and Spotlight (OS X). This vulnerability was originally patched by D7Security Group. This is a public release of the port of that patch, provided to Tag1 D7ES customers.

Read more about Coffee - Moderately Critical - Cross Site Scripting

Tag1 D7ES Backdrop

Date

February 20, 2025

Image plugin and AdvancedLink plugin, ported from Backdrop CMS in the Tag1 D7ES Backdrop module.

Read more about Tag1 D7ES Backdrop

Tag1 D7ES jQuery Update

Date

February 20, 2025

Add jQuery 3 support to a Drupal 7 site using the Tag1 D7ES jQuery Update module.

Read more about Tag1 D7ES jQuery Update

Tag1 D7ES CKEditor 5

Date

February 19, 2025

Tag1 D7ES CKEditor 5 module integrates the last version of CKEditor, a modular and extensible rich text editor, for Drupal 7 extended support.

Read more about Tag1 D7ES CKEditor 5

Webform Multiple File Upload - Critical - Cross Site Scripting - D7SECURITY-SA-CONTRIB-2025-001

Project

Webform Multiple File Upload

Date

January 16, 2025

Severity

Critical

Risk Score

16/25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Affected versions

<7.x-1.7

The Webform Multiple File Upload module allows users to upload multiple files on a Webform. The module doesn't sufficiently escape filenames when displaying them, thereby exposing an XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have access to a Webform that allows multiple file uploads.

Read more about Webform Multiple File Upload - Critical - Cross Site Scripting - D7SECURITY-SA-CONTRIB-2025-001