View online: https://www.drupal.org/sa-contrib-2024-028

Project: Opigno module [1] Date: 2024-August-07 Security risk: *Critical* 15∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Arbitrary PHP code execution

Affected versions: <3.1.2 Description:  The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training.

In the opigno_module module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission "create opigno tincan activities".

Solution:  Install the latest version:

* If you use the /opigno_module/ module, upgrade to opigno_module >= 3.1.2 [3]

Reported By:  * Marcin Grabias [4] * catch [5] of the Drupal Security Team

Fixed By:  * Yurii Boichenko [6] * Axel Minck [7] * Yuriy Korzhov [8] * Andrii Aleksandrov [9] * catch [10] of the Drupal Security Team

Coordinated By:  * Greg Knaddison [11] of the Drupal Security Team

[1] https://www.drupal.org/project/opigno_module [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/opigno_module/releases/3.1.2 [4] https://www.drupal.org/user/1599440 [5] https://www.drupal.org/user/35733 [6] https://www.drupal.org/user/624860 [7] https://www.drupal.org/user/1065700 [8] https://www.drupal.org/user/3477971 [9] https://www.drupal.org/user/3368060 [10] https://www.drupal.org/user/35733 [11] https://www.drupal.org/user/36762