[Security-news] Media: oEmbed - Critical - Remote Code Execution - SA-CONTRIB-2020-036
security-news at drupal.org
security-news at drupal.org
Wed Nov 18 17:57:09 UTC 2020
View online: https://www.drupal.org/sa-contrib-2020-036
Project: Media: oEmbed [1]
Date: 2020-November-18
Security risk: *Critical* 17∕25
AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:Default [2]
Vulnerability: Remote Code Execution
Description:
Media oEmbed does not properly sanitize certain filenames as described in
SA-CORE-2020-012 [3].
Solution:
Install the latest version:
* Upgrade to Media oEmbed 7.x-2.8 [4]
Reported By:
* Alex Pott [5] of the Drupal Security Team
Fixed By:
* Samuel Mortenson [6] of the Drupal Security Team
* Alex Pott [7] of the Drupal Security Team
* Drew Webber [8] of the Drupal Security Team
Coordinated By:
* Samuel Mortenson [9] of the Drupal Security Team
* Alex Pott [10] of the Drupal Security Team
* Drew Webber [11] of the Drupal Security Team
* xjm [12] of the Drupal Security Team
[1] https://www.drupal.org/project/media_oembed
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-core-2020-012
[4] https://www.drupal.org/project/media_oembed/releases/7.x-2.8
[5] https://www.drupal.org/user/157725
[6] https://www.drupal.org/user/2582268
[7] https://www.drupal.org/user/157725
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/2582268
[10] https://www.drupal.org/user/157725
[11] https://www.drupal.org/user/255969
[12] https://www.drupal.org/user/65776
More information about the Security-news
mailing list