Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2024-December-04
Vulnerability:
Access bypass
Affected versions:
<2.0.2
CVE IDs:
CVE-2024-13303
Description:
This module provides a field formatter for the field type 'file' called `Table of files with download all link` .
The module had vulnerabilities allowing a user to download files they normally should not be able to download.
Solution:
Install the latest version:
- If you use the Download All Files module, upgrade to 2.0.2 version
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Ivo Van Geertruyen of the Drupal Security Team
