[Security-news] File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015
security-news at drupal.org
security-news at drupal.org
Wed May 17 17:26:54 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-015
Project:Â File Chooser Field [1]
Date:Â 2023-May-17
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:None/E:Exploit/TD:All [2]
Vulnerability:Â Server Side Request Forgery, Information Disclosure
Description:Â
The File Chooser Field allows users to upload files using 3rd party plugins
such as Google Drive and Dropbox.
This module fails to validate user input sufficiently which could under
certain circumstances lead to a Server Side Request Forgery (SSRF)
vulnerability leading to Information Disclosure. In uncommon configurations
and scenarios, it might lead to Remote Code Execution.
Solution:Â
* If you use File Chooser Field version 7.x-1.x, Upgrade to 7.x-1.13 [3]
Reported By:Â
* Drew Webber [4] of the Drupal Security Team
* George Hazlewood [5]
Fixed By:Â
* Drew Webber [6] of the Drupal Security Team
* aaron.ferris [7]
Coordinated By:Â
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/file_chooser_field
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/file_chooser_field/releases/7.x-1.13
[4] https://www.drupal.org/user/255969
[5] https://www.drupal.org/user/2314
[6] https://www.drupal.org/user/255969
[7] https://www.drupal.org/user/1338234
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list