File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

Project:

File Entity (fieldable files)

Date:

2024-September-11

Security risk:

Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Information Disclosure

CVE IDs:

CVE-2024-13276

Description:

This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data.

The module doesn't sufficiently ensure that folders exist within the private destination prior to writing to them. If the subfolder doesn't exist, the module places the file in a publicly accessible directory.

This vulnerability only affects sites with private files.

Solution:

Install the latest version:

If you use the file_entity module for Drupal 7, upgrade to file_entity 7.x-2.39 or newer.

Reported By:

Devin Zuczek

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
Damien McKenna of the Drupal Security Team
Juraj Nemec of the Drupal Security Team

Contribution record

File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community