Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089
  • Date: Wed, 16 Jul 2025 16:46:09 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=ONDq3gqL; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org DB0B240F56
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5F9044012B
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2025-089

Project: File Download [1]
Date: 2025-July-16
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: <1.9.0 || >=2.0.0 <2.0.1
CVE IDs: CVE-2025-7717
Description: 
The File Download enables you to allow users to download file and image
entities directly using a custom field formatter. It also provides an
optional submodule to count and display file downloads in Views, similar to
how the core statistics module tracks content views.

The File Download module does not properly validate input when handling file
access requests. This can allow users to bypass protections and access
private files that should not be publicly available.

Solution: 
Install the latest version:

* If you use the File Download module for Drupal 8.x, upgrade to File
Download 2.0.1 [3] or File Download 8.x-1.9 [4].

Reported By: 
* Willem Drupal enthousiast (willempje2) [5]

Fixed By: 
* Shelane French (shelane) [6]
* Willem Drupal enthousiast (willempje2) [7]

Coordinated By: 
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
* Jess (xjm) [10] of the Drupal Security Team


[1] https://www.drupal.org/project/file_download
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/file_download/releases/2.0.1
[4] https://www.drupal.org/project/file_download/releases/8.x-1.9
[5] https://www.drupal.org/u/willempje2
[6] https://www.drupal.org/u/shelane
[7] https://www.drupal.org/u/willempje2
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/xjm

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news


  • [IT-SecNots] [Security-news] File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089, security-news, 16.07.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang