Date: 
2024-August-21
Vulnerability: 
Arbitrary PHP code execution
CVE IDs: 
CVE-2024-13267
Description: 

The Opigno TinCan Question Type module is related to Opigno LMS distribution. The module adds a new question type for the Quiz module. With this new question type, you will be able to import TinCan Packages to your Drupal instance and to use it as a question.

Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission to create or edit "TinCan Package" content type.

Solution: 

Install the latest version:

Reported By: 
Fixed By: 
Coordinated By: