View online: https://www.drupal.org/sa-contrib-2019-012

Project: Public Download Count [1] Date: 2019-February-06 Security risk: *Less critical* 8∕25 AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Open Redirect Vulnerability

Description:  This module enables you to track download counts of files linked from a Drupal site. Links in Drupal content are rewritten to go through an intermediate page that records download stats and then redirects to the final destination.

The module did not verify that the links provided to the intermediate page were actually present in the Drupal site content and did not contain checks to prevent external sites from accessing the counter.

Solution:  Install the latest version:

* If you use pubdlcnt for Drupal 7.x, upgrade to pubdlcnt 7.x-1.3 [3]

Also see the Public Download Count [4] project page.

Reported By:  * Jack Over [5]

Fixed By:  * Corey Halpin [6]

Coordinated By:  * Michael Hess [7] of the Drupal Security Team

[1] https://www.drupal.org/project/pubdlcnt [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/pubdlcnt/releases/7.x-1.3 [4] https://www.drupal.org/project/pubdlcnt [5] https://www.drupal.org/user/953390 [6] https://www.drupal.org/user/3485405 [7] https://www.drupal.org/user/102818