Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036


Chronologisch Thread 
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036
  • Date: Wed, 18 Nov 2020 17:57:09 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2020-036

Project: Media: oEmbed [1]
Date: 2020-November-18
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Remote Code Execution

Description: 
Media oEmbed does not properly sanitize certain filenames as described in
SA-CORE-2020-012 [3].

Solution: 
Install the latest version:

* Upgrade to Media oEmbed 7.x-2.8 [4]

Reported By: 
* Alex Pott [5] of the Drupal Security Team

Fixed By: 
* Samuel Mortenson [6] of the Drupal Security Team
* Alex Pott [7] of the Drupal Security Team
* Drew Webber [8] of the Drupal Security Team

Coordinated By: 
* Samuel Mortenson [9] of the Drupal Security Team
* Alex Pott [10] of the Drupal Security Team
* Drew Webber [11] of the Drupal Security Team
* xjm [12] of the Drupal Security Team


[1] https://www.drupal.org/project/media_oembed
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2020-012
[4] https://www.drupal.org/project/media_oembed/releases/7.x-2.8
[5] https://www.drupal.org/user/157725
[6] https://www.drupal.org/user/2582268
[7] https://www.drupal.org/user/157725
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/2582268
[10] https://www.drupal.org/user/157725
[11] https://www.drupal.org/user/255969
[12] https://www.drupal.org/user/65776

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036, security-news, 18.11.2020

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang