View online: https://www.drupal.org/sa-contrib-2024-063

Project: Eloqua [1] Date: 2024-November-20 Security risk: *Moderately critical* 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Arbitrary PHP code execution

Description:  This module integrates webforms with eloqua, an automated marketing and demand generation software built to improve the quality and quantity of customers' sales leads and streamline their sales processes.

In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.

This vulnerability is mitigated by the fact that an attack must operate with the permission "access administration pages", however this could be the case if this issue were combined with others in an "attack chain".

Solution:  Install the latest version:

* If you use the Eloqua module for Drupal 7.x, upgrade to Eloqua 7.x-1.15 [3]

Reported By:  * Drew Webber [4] of the Drupal Security Team

Fixed By:  * Albert Volkman [5]

Coordinated By:  * Greg Knaddison [6] of the Drupal Security Team

[1] https://www.drupal.org/project/eloqua [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/eloqua/releases/7.x-1.15 [4] https://www.drupal.org/user/255969 [5] https://www.drupal.org/user/429502 [6] https://www.drupal.org/user/36762