[IT-SecNots] [Security-news] Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-069

Project: Download All Files [1]
Date: 2024-December-04
Security risk: *Critical* 16 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Proof/TD:All [2]
Vulnerability: Access bypass

Affected versions: <2.0.2
Description: 
This module provides a field formatter for the field type 'file' called
`Table of files with download all link` .

The module had vulnerabilities allowing a user to download files they
normally should not be able to download.

Solution: 
Install the latest version:

  * If you use the Download All Files module, upgrade to 2.0.2 version [3]

Reported By: 
  * Pierre Rudloff [4]
  * Jeroen Tubex [5]

Fixed By: 
  * Jeroen Tubex [6]
  * striknin [7]
  * Giuseppe  [8]

Coordinated By: 
  * Greg Knaddison [9] of the Drupal Security Team
  * Damien McKenna [10] of the Drupal Security Team
  * Ivo Van Geertruyen [11] of the Drupal Security Team


[1] https://www.drupal.org/project/download_all_files
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/download_all_files/releases/2.0.2
[4] https://www.drupal.org/user/3611858
[5] https://www.drupal.org/user/2228934
[6] https://www.drupal.org/user/2228934
[7] https://www.drupal.org/user/1234206
[8] https://www.drupal.org/user/3521392
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/108450
[11] https://www.drupal.org/user/383424

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news