[Security-news] Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037
security-news at drupal.org
security-news at drupal.org
Wed Mar 13 17:37:14 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-037
Project: Video [1]
Date: 2019-March-13
Security risk: *Critical* 19∕25
AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Remote Code Execution
Description:
This module provides a field where editors can add videos to their content
and this module offers functionality to transcode these videos to different
sizes and formats.
The module doesn't sufficiently sanitize some user input on administrative
forms.
Solution:
* If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.14 [3]
Also see the Video [4] project page
Note that the Drupal 8 version of this module is unaffected.
Reported By:
* Samuel Mortenson [5] of the Drupal Security Team
Fixed By:
* Michael Hess [6] of the Drupal Security Team
* Jorrit Schippers [7]
* Samuel Mortenson [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
Coordinated By:
* Michael Hess [10] of the Drupal Security Team
[1] https://www.drupal.org/project/video
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/video/releases/7.x-2.14
[4] https://www.drupal.org/project/video
[5] https://www.drupal.org/user/2582268
[6] https://www.drupal.org/user/102818
[7] https://www.drupal.org/user/161217
[8] https://www.drupal.org/user/2582268
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/102818
More information about the Security-news
mailing list