[IT-SecNots] [Security-news] Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-037

Project: Video [1]
Date: 2019-March-13
Security risk: *Critical* 19∕25
AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Remote Code Execution

Description: 
This module provides a field where editors can add videos to their content
and this module offers functionality to transcode these videos to different
sizes and formats.

The module doesn't sufficiently sanitize some user input on administrative
forms.

Solution: 
  * If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.14 [3]

Also see the Video [4] project page

Note that the Drupal 8 version of this module is unaffected.

Reported By: 
  * Samuel Mortenson  [5] of the Drupal Security Team

Fixed By: 
  * Michael Hess  [6] of the Drupal Security Team
  * Jorrit Schippers  [7]
  * Samuel Mortenson  [8] of the Drupal Security Team
  * Greg Knaddison  [9] of the Drupal Security Team

Coordinated By: 
  * Michael Hess  [10] of the Drupal Security Team


[1] https://www.drupal.org/project/video
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/video/releases/7.x-2.14
[4] https://www.drupal.org/project/video
[5] https://www.drupal.org/user/2582268
[6] https://www.drupal.org/user/102818
[7] https://www.drupal.org/user/161217
[8] https://www.drupal.org/user/2582268
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/102818

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news