Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063
  • Date: Wed, 20 Nov 2024 20:25:59 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=Y9xF3z2K; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3DFC74F847
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org F235D606BF
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2024-063

Project: Eloqua [1]
Date: 2024-November-20
Security risk: *Moderately critical* 14 ∕ 25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Arbitrary PHP code execution

Description: 
This module integrates webforms with eloqua, an automated marketing and
demand generation software built to improve the quality and quantity of
customers' sales leads and streamline their sales processes.

In certain cases the module doesn't sufficiently sanitize data before passing
it to PHP's unserialize() function, which could result in Remote Code
Execution via PHP Object Injection.

This vulnerability is mitigated by the fact that an attack must operate with
the permission "access administration pages", however this could be the case
if this issue were combined with others in an "attack chain".

Solution: 
Install the latest version:

* If you use the Eloqua module for Drupal 7.x, upgrade to Eloqua 7.x-1.15
[3]

Reported By: 
* Drew Webber [4] of the Drupal Security Team

Fixed By: 
* Albert Volkman [5]

Coordinated By: 
* Greg Knaddison [6] of the Drupal Security Team


[1] https://www.drupal.org/project/eloqua
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/eloqua/releases/7.x-1.15
[4] https://www.drupal.org/user/255969
[5] https://www.drupal.org/user/429502
[6] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063, security-news, 20.11.2024

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang