Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052

Project:

Monster Menus

Date:

2024-October-23

Security risk:

Critical 19 ∕ 25 AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All

Vulnerability:

Arbitrary PHP code execution

Affected versions:

<9.3.4 || >=9.4.0 <9.4.2

CVE IDs:

CVE-2024-13288

Description:

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.

In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which can result in arbitrary code execution.

Solution:

Install the latest version:

If you use Monster Menus branch 9.4.x, upgrade to monster_menus 9.4.2
If you use Monster Menus branch 9.3.x, upgrade to monster_menus 9.3.4

Reported By:

Drew Webber of the Drupal Security Team

Fixed By:

Drew Webber of the Drupal Security Team
Dan Wilga

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team
Drew Webber of the Drupal Security Team

Contribution record

Monster Menus - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-052

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community