Media - Moderately Critical - Multiple vulnerabilities - SA-CONTRIB-2017-044 - Security-news

10 May 2017


      View online: https://www.drupal.org/node/2877316
* Advisory ID: DRUPAL-SA-CONTRIB-2017-044
   * Project: Media [1]     (third-party module)
   * Version: 7.x
   * Date: 2017-May-10
   * Security risk: 16/25 ( Critical)
     AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
   * Vulnerability: Information Disclosure, Arbitrary PHP code execution,
     Multiple vulnerabilities
-------- DESCRIPTION
---------------------------------------------------------
This module provides intuitive ways to manage large libraries of media,
insert or display or import various types of media either through fields or a
wysiwyg interface.
Versions of this module prior to 7.x-2.1 or 7.x-3.0-alpha5 did not
sufficiently whitelist input parameters for the media browser.
This vulnerability in the versions of media prior to those aforementioned is
mitigated by the fact that an attacker must have a role with the permission
upload files and view media browser.
-------- VERSIONS AFFECTED
---------------------------------------------------
* Media 7.x-2.x versions prior to 7.x-2.1.
   * Media 7.x-3.x versions prior to 7.x-3.0-alpha4.
Drupal core is not affected. If you do not use the contributed Media [3]
module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the media module, it is recommended to upgrade to media 
version
     7.x-2.1 (stable) or to 7.x-3.0-alpha5 (cutting edge) or newer.
Also see the Media [4] project page.
-------- REPORTED BY
---------------------------------------------------------
* Richard Thomas [5] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Joseph Olstad [6] the module maintainer
   * Richard Thomas [7] of the Drupal Security Team
-------- COORDINATED BY
------------------------------------------------------
* Michael Hess [8] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [9].
Learn more about the Drupal Security team and their policies [10], writing
secure code for Drupal [11], and  securing your site [12].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [13]
[1] https://www.drupal.org/project/media
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/media
[4] https://www.drupal.org/project/media
[5] https://www.drupal.org/u/richard.thomas
[6] https://www.drupal.org/u/joseph.olstad
[7] https://www.drupal.org/u/richard.thomas
[8] https://www.drupal.org/u/mlhess
[9] https://www.drupal.org/contact
[10] https://www.drupal.org/security-team
[11] https://www.drupal.org/writing-secure-code
[12] https://www.drupal.org/security/secure-configuration
[13] https://twitter.com/drupalsecurity