[Security-news] File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040
security-news at drupal.org
security-news at drupal.org
Wed Sep 11 17:33:17 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-040
Project: File Entity (fieldable files) [1]
Date: 2024-September-11
Security risk: *Moderately critical* 10 ∕ 25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information Disclosure
Description:
This module enables you to store and manage both private and public files,
provides the ability to add fieldable metadata for file_entity bundle types
in addition to core file_managed data.
The module doesn't sufficiently ensure private destination folders exist
prior to writing to them. If the folder doesn't exist, the module places the
file in a publicly accessible directory.
This vulnerability only affects sites with private files.
Solution:
Install the latest version:
* If you use the file_entity module for Drupal 7, upgrade to file_entity
7.x-2.39 [3] or newer.
Reported By:
* Devin Zuczek [4]
Fixed By:
* Devin Zuczek [5]
* Joseph Olstad [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
* Damien McKenna [8] of the Drupal Security Team
* Juraj Nemec [9] of the Drupal Security Team
[1] https://www.drupal.org/project/file_entity
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/file_entity/releases/7.x-2.39
[4] https://www.drupal.org/user/701754
[5] https://www.drupal.org/user/701754
[6] https://www.drupal.org/user/1321830
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/u/DamienMcKenna
[9] https://www.drupal.org/u/poker10
More information about the Security-news
mailing list