View online: https://www.drupal.org/sa-contrib-2024-040 Project: File Entity (fieldable files) [1] Date: 2024-September-11 Security risk: *Moderately critical* 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Information Disclosure Description: This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data. The module doesn't sufficiently ensure private destination folders exist prior to writing to them. If the folder doesn't exist, the module places the file in a publicly accessible directory. This vulnerability only affects sites with private files. Solution: Install the latest version: * If you use the file_entity module for Drupal 7, upgrade to file_entity 7.x-2.39 [3] or newer. Reported By: * Devin Zuczek [4] Fixed By: * Devin Zuczek [5] * Joseph Olstad [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Damien McKenna [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team [1] https://www.drupal.org/project/file_entity [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/file_entity/releases/7.x-2.39 [4] https://www.drupal.org/user/701754 [5] https://www.drupal.org/user/701754 [6] https://www.drupal.org/user/1321830 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/u/DamienMcKenna [9] https://www.drupal.org/u/poker10