[IT-SecNots] [Security-news] Opigno - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-032

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-032

Project: Opigno [1]
Date: 2024-August-21
Security risk: *Critical* 16∕25
AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Arbitrary PHP code execution

Description: 
The Opigno module is related to Opigno LMS distribution. Opigno Scorm
submodule exposes an API for extracting and handling SCORM packages.

Uploaded files were not sufficiently validated to prevent arbitrary file
uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site
Scripting (XSS).

This vulnerability is mitigated by the fact that it affected only specific
activity types.

Solution: 
Install the latest version:

  * If you use the /opigno/ module, upgrade to opigno 7.x-1.23 [3]

Reported By: 
  * Yurii Boichenko [4]
  * Marcin Grabias [5]
  * catch [6] of the Drupal Security Team

Fixed By: 
  * Yurii Boichenko [7]

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team
  * Juraj Nemec [9] of the Drupal Security Team


[1] https://www.drupal.org/project/opigno
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/opigno/releases/7.x-1.23
[4] https://www.drupal.org/user/624860
[5] https://www.drupal.org/user/1599440
[6] https://www.drupal.org/user/35733
[7] https://www.drupal.org/user/624860
[8] https://www.drupal.org/user/36762
[9] https://www.drupal.org/u/poker10

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news