[IT-SecNots] [Security-news] Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-061

Project: Node export [1]
Date: 2024-November-20
Security risk: *Moderately critical* 14 ∕ 25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Arbitrary PHP code execution

Description: 
This module allows users to export nodes and then import it into another
Drupal installation, or on the same site.

In certain cases the module doesn't sufficiently sanitize data before passing
it to PHP's unserialize() function, which could results in Remote Code
Execution via PHP Object Injection.

This vulnerability is mitigated by the fact that an attack must operate with
the permission "Use PHP to import nodes", however this could be the case if
this issue were combined with others in an "attack chain".

In general, if this module is not in active use it is recommended to disable
it.

Solution: 
Install the latest version:

  * If you use the Node Export module for Drupal 7, upgrade to Node Export
    7.x-3.3 [3]

Reported By: 
  * Drew Webber [4] of the Drupal Security Team

Fixed By: 
  * Drew Webber [5] of the Drupal Security Team
  * Ivan Trokhanenko [6]

Coordinated By: 
  * Drew Webber [7] of the Drupal Security Team
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/node_export
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/node_export/releases/7.x-3.3
[4] https://www.drupal.org/user/255969
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/3546872
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news