Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029

Project:

Opigno Learning path

Date:

2024-August-07

Security risk:

Critical 16 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Default

Vulnerability:

Arbitrary PHP code execution

Affected versions:

<3.1.2

CVE IDs:

CVE-2024-13265

Description:

The Opigno Learning Path module enables you to manage group content.

Administrative forms allow uploading malicious files which may contain arbitrary code (RCE) or cross site scriptiong (XSS). These forms were not adequately controlled with permissions that communicate the severity of the permission.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Manage group content in any group".

Solution:

Install the latest version:

If you use the opigno_learning_path module, upgrade it to opigno_learning_path >= 3.1.2

Reported By:

Marcin Grabias
catch of the Drupal Security Team

Fixed By:

Axel Minck
Yuriy Korzhov
Andrii Aleksandrov
Yurii Boichenko

Coordinated By:

Greg Knaddison of the Drupal Security Team

Contribution record

Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community