Project: 
Date: 
2024-September-04
Vulnerability: 
Information Disclosure
Affected versions: 
<4.0.1
CVE IDs: 
CVE-2024-13270
Description: 

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content.

The module doesn't sufficiently check if a user has access to some URLs before rendering them as links.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access content" (which is commonly assigned to all roles), and the site must be configured to disallow access to certain content.

Solution: 

Install the latest version:

  • If you use the freelinking module 4.0.x, upgrade to freelinking 4.0.1
  • If you use the freelinking module 8.x-3.x, upgrade to freelinking 4.0.1, as the 8.x-3.x branch is now unsupported
Reported By: 
Coordinated By: