View online: https://www.drupal.org/sa-contrib-2017-097 Project: me aliases [1] Date: 2017-December-20 Security risk: *Highly critical* 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All [2] Vulnerability: Arbitrary code execution Description: 'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc. The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings. Solution: Install the latest version: * If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3 [3] Reported By: * ross.linscott [4] Fixed By: * Camilo Bravo [5] * nohup [6] * Michael Hess [7] of the Drupal Security Team Coordinated By: * Michael Hess [8] of the Drupal Security Team [1] https://www.drupal.org/project/me [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/me/releases/7.x-1.3 [4] https://www.drupal.org/user/3544915 [5] https://www.drupal.org/u/cambraca [6] https://www.drupal.org/u/nohup [7] https://www.drupal.org/user/102818 [8] https://www.drupal.org/user/102818