Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2018-January-24
Vulnerability:
Arbitrary PHP code execution
Description:
This module enables you to create manual and scheduled backups of a site, and restore the site from backup.
The module doesn't sufficiently identify that its custom permissions are risky and should only be granted to highly trusted roles.
Sites using this module should review the permissions page to verify only trusted users are granted permissions defined by the module.
Solution:
Install the latest version:
- If you use the Backup and Migrate module for Drupal 7.x, upgrade to Backup and Migrate 7.x-3.4.
Reported By:
- John Bickar
- Cash Williams of the Drupal Security Team.
Fixed By:
- Damien McKenna the module maintainer.
- Alex Andrascu the module maintainer.
- Daniel Pickering the module maintainer.
- Pere Orga of the Drupal Security Team.
Coordinated By:
- Damien McKenna of the Drupal Security Team.
