[Security-news] Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069
security-news at drupal.org
security-news at drupal.org
Wed Dec 4 17:22:02 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-069
Project: Download All Files [1]
Date: 2024-December-04
Security risk: *Critical* 16 ∕ 25
AC:None/A:None/CI:Some/II:None/E:Proof/TD:All [2]
Vulnerability: Access bypass
Affected versions: <2.0.2
Description:
This module provides a field formatter for the field type 'file' called
`Table of files with download all link` .
The module had vulnerabilities allowing a user to download files they
normally should not be able to download.
Solution:
Install the latest version:
* If you use the Download All Files module, upgrade to 2.0.2 version [3]
Reported By:
* Pierre Rudloff [4]
* Jeroen Tubex [5]
Fixed By:
* Jeroen Tubex [6]
* striknin [7]
* Giuseppe [8]
Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
* Damien McKenna [10] of the Drupal Security Team
* Ivo Van Geertruyen [11] of the Drupal Security Team
[1] https://www.drupal.org/project/download_all_files
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/download_all_files/releases/2.0.2
[4] https://www.drupal.org/user/3611858
[5] https://www.drupal.org/user/2228934
[6] https://www.drupal.org/user/2228934
[7] https://www.drupal.org/user/1234206
[8] https://www.drupal.org/user/3521392
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/108450
[11] https://www.drupal.org/user/383424
More information about the Security-news
mailing list