[Security-news] Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063
security-news at drupal.org
security-news at drupal.org
Wed Nov 20 20:25:59 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-063
Project: Eloqua [1]
Date: 2024-November-20
Security risk: *Moderately critical* 14 ∕ 25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2]
Vulnerability: Arbitrary PHP code execution
Description:
This module integrates webforms with eloqua, an automated marketing and
demand generation software built to improve the quality and quantity of
customers' sales leads and streamline their sales processes.
In certain cases the module doesn't sufficiently sanitize data before passing
it to PHP's unserialize() function, which could result in Remote Code
Execution via PHP Object Injection.
This vulnerability is mitigated by the fact that an attack must operate with
the permission "access administration pages", however this could be the case
if this issue were combined with others in an "attack chain".
Solution:
Install the latest version:
* If you use the Eloqua module for Drupal 7.x, upgrade to Eloqua 7.x-1.15
[3]
Reported By:
* Drew Webber [4] of the Drupal Security Team
Fixed By:
* Albert Volkman [5]
Coordinated By:
* Greg Knaddison [6] of the Drupal Security Team
[1] https://www.drupal.org/project/eloqua
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/eloqua/releases/7.x-1.15
[4] https://www.drupal.org/user/255969
[5] https://www.drupal.org/user/429502
[6] https://www.drupal.org/user/36762
More information about the Security-news
mailing list