[Security-news] H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064
security-news at drupal.org
security-news at drupal.org
Wed Dec 14 17:54:16 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-064
Project: H5P - Create and Share Rich Content and Applications [1]
Date: 2022-December-14
Security risk: *Moderately critical* 12∕25
AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Remote Code Execution
Description:
This module enables you to create interactive content.
The module doesn't sufficiently stop path traversal attacks through zipped
filenames for the uploadable .h5p files.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "update h5p libraries". In addition, it is only
exploitable on Windows servers.
Solution:
Install the latest version:
* If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.51 [3]
Reported By:
Disclosed publicly.
Fixed By:
* Frode Petterson [4]
* paalj [5]
Coordinated By:
* Greg Knaddison [6] of the Drupal Security Team
[1] https://www.drupal.org/project/h5p
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/h5p/releases/7.x-1.51
[4] https://www.drupal.org/user/823190
[5] https://www.drupal.org/user/1091732
[6] https://www.drupal.org/user/36762
More information about the Security-news
mailing list