View online: https://www.drupal.org/sa-contrib-2024-001
Project: File Entity (fieldable files) [1] Date: 2024-January-10 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting, Access bypass
Description: File entity provides interfaces for managing files. It also extends the core file entity, allowing files to be fieldable, grouped into types, viewed (using display modes) and formatted using field formatters.
The module previously did not sufficiently validate files under the scenario of a file replacement leading to multiple exploit paths including persistent Cross Site Scripting.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit files.
Solution: Install the latest version:
* If you use the file_entity module for Drupal 7.x, upgrade to File Entity 7.x-2.38 [3].
Reported By: * Caroline Boyden [4]
Fixed By: * Joseph Olstad [5] * Sascha Grossenbacher [6] * Caroline Boyden [7]
Coordinated By: * Damien McKenna [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/file_entity [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/file_entity/releases/7.x-2.38 [4] https://www.drupal.org/user/657902 [5] https://www.drupal.org/user/1321830 [6] https://www.drupal.org/user/214652 [7] https://www.drupal.org/user/657902 [8] https://www.drupal.org/user/108450 [9] https://www.drupal.org/user/36762