View online: https://www.drupal.org/sa-contrib-2024-040
Project: File Entity (fieldable files) [1] Date: 2024-September-11 Security risk: *Moderately critical* 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information Disclosure
Description: This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data.
The module doesn't sufficiently ensure private destination folders exist prior to writing to them. If the folder doesn't exist, the module places the file in a publicly accessible directory.
This vulnerability only affects sites with private files.
Solution: Install the latest version:
* If you use the file_entity module for Drupal 7, upgrade to file_entity 7.x-2.39 [3] or newer.
Reported By: * Devin Zuczek [4]
Fixed By: * Devin Zuczek [5] * Joseph Olstad [6]
Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Damien McKenna [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team
[1] https://www.drupal.org/project/file_entity [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/file_entity/releases/7.x-2.39 [4] https://www.drupal.org/user/701754 [5] https://www.drupal.org/user/701754 [6] https://www.drupal.org/user/1321830 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/u/DamienMcKenna [9] https://www.drupal.org/u/poker10