Opigno group manager - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-027

Project:

Opigno group manager

Date:

2024-August-07

Security risk:

Critical 16 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All

Vulnerability:

Arbitrary PHP code execution

Affected versions:

<3.1.1

CVE IDs:

CVE-2024-13263

Description:

The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one.

An administration form allows execution of arbitrary code.

This issue is mitigated by several factors. First, it requires the attacker have the permission "update group learning_path". Additionally, it requires several steps and depends on other data in the system to be in place.

Solution:

Install the latest version:

If you use the opigno_group_manager module for Drupal 10.x, upgrade to opigno_group_manager 3.1.1

Reported By:

catch of the Drupal Security Team
Marcin Grabias

Fixed By:

Yurii Boichenko

Coordinated By:

Greg Knaddison of the Drupal Security Team
Benji Fisher of the Drupal Security Team

Contribution record

Opigno group manager - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-027

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community