Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-August-07
Vulnerability:
Arbitrary PHP code execution
Affected versions:
<3.1.2
CVE IDs:
CVE-2024-13264
Description:
The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training.
In the opigno_module module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).
This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission "create opigno tincan activities".
Solution:
Install the latest version:
- If you use the opigno_module module, upgrade to opigno_module >= 3.1.2
Reported By:
- Marcin Grabias
- catch of the Drupal Security Team
Fixed By:
- Yurii Boichenko
- Axel Minck
- Yuriy Korzhov
- Andrii Aleksandrov
- catch of the Drupal Security Team
Coordinated By:
- Greg Knaddison of the Drupal Security Team
