From security-news at drupal.org Wed Oct 13 16:52:31 2021 From: security-news at drupal.org (security-news at drupal.org) Date: Wed, 13 Oct 2021 16:52:31 +0000 (UTC) Subject: [Security-news] Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043 Message-ID: View online: https://www.drupal.org/sa-contrib-2021-043 Project: Loft Data Grids [1] Date: 2021-October-13 Security risk: *Moderately critical* 11∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Proof/TD:Uncommon [2] Vulnerability:  XML External Entity (XXE) Processing Description:  This module enables aklump/loft_data_grids to be used as a Drupal module. Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel [3], which is abandoned and there are known security vulnerabilities: [CVE-2018-19277]: PHPOffice/PhpSpreadsheet#771. Excel support has since been replaced with the newer https://github.com/PHPOffice/PhpSpreadsheet [4] library. This module provides an API and This vulnerability is not exploitable in the module itself. This vulnerability only exists if custom code or another module uses the API of this module to read a spreadsheet. Solution:  Upgraded to the the latest version. * https://www.drupal.org/project/loft_data_grids/releases/7.x-2.4 [5] * https://www.drupal.org/project/loft_data_grids/releases/8.x-1.4 [6] Reported By:  * Lucas Hedding [7] Fixed By:  * Aaron Klump [8] Coordinated By:  * Greg Knaddison [9] of the Drupal Security Team * Michael Hess [10] of the Drupal Security Team [1] https://www.drupal.org/project/loft_data_grids [2] https://www.drupal.org/security-team/risk-levels [3] https://packagist.org/packages/phpoffice/phpexcel [4] https://github.com/PHPOffice/PhpSpreadsheet [5] https://www.drupal.org/project/loft_data_grids/releases/7.x-2.4 [6] https://www.drupal.org/project/loft_data_grids/releases/8.x-1.4 [7] https://www.drupal.org/user/1463982 [8] https://www.drupal.org/user/142422 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/102818