Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-November-13
Vulnerability:
Cross Site Scripting, Arbitrary PHP code execution
Affected versions:
<1.0.2
CVE IDs:
CVE-2024-13294
Description:
The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).
This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the allow_insecure_uploads config.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "postfile upload".
Solution:
Install the latest version:
- If you use the POST File module for Drupal 10.3.x/11.x, upgrade to POST File 1.0.2
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team
