Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043
  • Date: Wed, 13 Oct 2021 16:52:31 +0000 (UTC)
  • Authentication-results: mail02.piratenpartei.de; dkim=none; spf=pass (mail02.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2021-043

Project: Loft Data Grids [1]
Date: 2021-October-13
Security risk: *Moderately critical* 11∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Proof/TD:Uncommon [2]
Vulnerability:  XML External Entity (XXE) Processing

Description: 
This module enables aklump/loft_data_grids to be used as a Drupal module.

Excel support was provided by
https://packagist.org/packages/phpoffice/phpexcel [3], which is abandoned and
there are known security vulnerabilities: [CVE-2018-19277]:
PHPOffice/PhpSpreadsheet#771. Excel support has since been replaced with the
newer https://github.com/PHPOffice/PhpSpreadsheet [4] library.

This module provides an API and This vulnerability is not exploitable in the
module itself. This vulnerability only exists if custom code or another
module uses the API of this module to read a spreadsheet.

Solution: 
Upgraded to the the latest version.

* https://www.drupal.org/project/loft_data_grids/releases/7.x-2.4 [5]
* https://www.drupal.org/project/loft_data_grids/releases/8.x-1.4 [6]

Reported By: 
* Lucas Hedding [7]

Fixed By: 
* Aaron Klump [8]

Coordinated By: 
* Greg Knaddison [9] of the Drupal Security Team
* Michael Hess [10] of the Drupal Security Team


[1] https://www.drupal.org/project/loft_data_grids
[2] https://www.drupal.org/security-team/risk-levels
[3] https://packagist.org/packages/phpoffice/phpexcel
[4] https://github.com/PHPOffice/PhpSpreadsheet
[5] https://www.drupal.org/project/loft_data_grids/releases/7.x-2.4
[6] https://www.drupal.org/project/loft_data_grids/releases/8.x-1.4
[7] https://www.drupal.org/user/1463982
[8] https://www.drupal.org/user/142422
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/102818

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043, security-news, 13.10.2021

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang