View online: https://www.drupal.org/sa-contrib-2024-052
Project: Monster Menus [1] Date: 2024-October-23 Security risk: *Critical* 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Arbitrary PHP code execution
Affected versions: <9.3.4 || >=9.4.0 <9.4.2 Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.
In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which can result in arbitrary code execution.
Solution: Install the latest version:
* If you use Monster Menus branch *9.4.x*, upgrade to monster_menus 9.4.2 [3] * If you use Monster Menus branch *9.3.x*, upgrade to monster_menus 9.3.4 [4]
Reported By: * Drew Webber [5] of the Drupal Security Team
Fixed By: * Drew Webber [6] of the Drupal Security Team * Dan Wilga [7]
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team * Juraj Nemec [9] of the Drupal Security Team * Drew Webber [10] of the Drupal Security Team
[1] https://www.drupal.org/project/monster_menus [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/monster_menus/releases/9.4.2 [4] https://www.drupal.org/project/monster_menus/releases/9.3.4 [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/255969 [7] https://www.drupal.org/user/56892 [8] https://www.drupal.org/u/greggles [9] https://www.drupal.org/u/poker10 [10] https://www.drupal.org/user/255969