POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059

Project:

POST File

Date:

2024-November-13

Security risk:

Moderately critical 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross Site Request Forgery

Affected versions:

<1.0.2

CVE IDs:

CVE-2024-13293

Description:

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).

The module doesn't sufficiently protect against Cross Site Request Forgery
under allowing an attacker to trick a site user into uploading a file.

Solution:

Install the latest version:

If you use the POST File module for Drupal 10.3.x/11.x, upgrade to Post File 1.0.2

Reported By:

Pierre Rudloff

Fixed By:

Scott Joudry

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community