View online: https://www.drupal.org/sa-contrib-2021-034 Project: Search API attachments [1] Date: 2021-September-22 Security risk: *Critical* 15∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Arbitrary PHP code execution Description: This module enables you to extract the textual content of files for use on a website, e.g. to display it or or use it in search indexes. The module doesn't sufficiently protect the administrator-defined commands which are executed on the server, which leads to post-authentication remote code execution by a limited set of users. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search_api". Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission. Solution: Install the latest version: * If you use the search_api_attachments module for Drupal 7.x, upgrade to search_api_attachments 7.x-1.19 [3] The 8.x branch does not have Security Coverage. Reported By: * Florent Torregrosa [4] Fixed By: * Damien McKenna [5] of the Drupal Security Team * Ismaeil Abouljamal [6] Coordinated By: * Damien McKenna [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team [1] https://www.drupal.org/project/search_api_attachments [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/search_api_attachments/releases/7.x-1.19 [4] https://www.drupal.org/user/2388214 [5] https://www.drupal.org/user/108450 [6] https://www.drupal.org/user/514568 [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles