Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001
  • Date: Wed, 10 Jan 2024 18:38:00 +0000 (UTC)
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 450E461AD2
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 51D7061ACA
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 5A94E83D34
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9FA4083D26
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-001

Project: File Entity (fieldable files) [1]
Date: 2024-January-10
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting, Access bypass

Description: 
File entity provides interfaces for managing files. It also extends the core
file entity, allowing files to be fieldable, grouped into types, viewed
(using display modes) and formatted using field formatters.

The module previously did not sufficiently validate files under the scenario
of a file replacement leading to multiple exploit paths including persistent
Cross Site Scripting.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission to edit files.

Solution: 
Install the latest version:

* If you use the file_entity module for Drupal 7.x, upgrade to File Entity
7.x-2.38 [3].

Reported By: 
* Caroline Boyden [4]

Fixed By: 
* Joseph Olstad [5]
* Sascha Grossenbacher [6]
* Caroline Boyden [7]

Coordinated By: 
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/file_entity
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/file_entity/releases/7.x-2.38
[4] https://www.drupal.org/user/657902
[5] https://www.drupal.org/user/1321830
[6] https://www.drupal.org/user/214652
[7] https://www.drupal.org/user/657902
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] File Entity (fieldable files) - Moderately critical - Cross Site Scripting, Access bypass - SA-CONTRIB-2024-001, security-news, 10.01.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang