[IT-SecNots] [Security-news] File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-040

Project: File Entity (fieldable files) [1]
Date: 2024-September-11
Security risk: *Moderately critical* 10 ∕ 25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information Disclosure

Description: 
This module enables you to store and manage both private and public files,
provides the ability to add fieldable metadata for file_entity bundle types
in addition to core file_managed data.

The module doesn't sufficiently ensure private destination folders exist
prior to writing to them. If the folder doesn't exist, the module places the
file in a publicly accessible directory.

This vulnerability only affects sites with private files.

Solution: 
Install the latest version:

  * If you use the file_entity module for Drupal 7, upgrade to file_entity
    7.x-2.39 [3] or newer.

Reported By: 
  * Devin Zuczek [4]

Fixed By: 
  * Devin Zuczek [5]
  * Joseph Olstad [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team
  * Damien McKenna [8] of the Drupal Security Team
  * Juraj Nemec [9] of the Drupal Security Team


[1] https://www.drupal.org/project/file_entity
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/file_entity/releases/7.x-2.39
[4] https://www.drupal.org/user/701754
[5] https://www.drupal.org/user/701754
[6] https://www.drupal.org/user/1321830
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/u/DamienMcKenna
[9] https://www.drupal.org/u/poker10

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news