View online: https://www.drupal.org/sa-contrib-2019-037 Project: Video [1] Date: 2019-March-13 Security risk: *Critical* 19∕25 AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Remote Code Execution Description: This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats. The module doesn't sufficiently sanitize some user input on administrative forms. Solution: * If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.14 [3] Also see the Video [4] project page Note that the Drupal 8 version of this module is unaffected. Reported By: * Samuel Mortenson [5] of the Drupal Security Team Fixed By: * Michael Hess [6] of the Drupal Security Team * Jorrit Schippers [7] * Samuel Mortenson [8] of the Drupal Security Team * Greg Knaddison [9] of the Drupal Security Team Coordinated By: * Michael Hess [10] of the Drupal Security Team [1] https://www.drupal.org/project/video [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/video/releases/7.x-2.14 [4] https://www.drupal.org/project/video [5] https://www.drupal.org/user/2582268 [6] https://www.drupal.org/user/102818 [7] https://www.drupal.org/user/161217 [8] https://www.drupal.org/user/2582268 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/102818