View online: https://www.drupal.org/sa-contrib-2017-097
Project: me aliases [1] Date: 2017-December-20 Security risk: *Highly critical* 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Arbitrary code execution
Description: 'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.
The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.
Solution: Install the latest version:
* If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3 [3]
Reported By: * ross.linscott [4] Fixed By: * Camilo Bravo [5] * nohup [6] * Michael Hess [7] of the Drupal Security Team Coordinated By: * Michael Hess [8] of the Drupal Security Team
[1] https://www.drupal.org/project/me [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/me/releases/7.x-1.3 [4] https://www.drupal.org/user/3544915 [5] https://www.drupal.org/u/cambraca [6] https://www.drupal.org/u/nohup [7] https://www.drupal.org/user/102818 [8] https://www.drupal.org/user/102818