View online: https://www.drupal.org/sa-contrib-2019-045

Project: TableField [1] Date: 2019-April-17 Security risk: *Critical* 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Default [2] Vulnerability: Remote Code Execution

Description:  This module allows you to attach tabular data to an entity.

The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.

Solution:  Install the latest version:

* If you use the Tablefield module 7.x-3.x branch for Drupal 7.x, upgrade to tablefield 7.x-3.4 [3]

Reported By:  * Drew Webber [4] Provisional Security Team Member

Fixed By:  * Drew Webber [5] Provisional Security Team Member * Martin Postma [6] * Jen Lampton [7]

Coordinated By:  * Greg Knaddison [8] of the Drupal Security Team

[1] https://www.drupal.org/project/tablefield [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tablefield/releases/7.x-3.4 [4] https://www.drupal.org/user/255969 [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/210402 [7] https://www.drupal.org/user/85586 [8] https://www.drupal.org/user/36762