Severity Rating: CRITICAL
Software Affected
H5P module version prior 7.1.51.
File (Field) Paths module version prior 7.1.2.
Overview
Multiple
vulnerabilities have been reported in Drupal which could allow an
unauthenticated remote attacker to execute arbitrary code and bypass
security restrictions on the targeted system.
Description
1. Access Bypass
This
vulnerability exists in the File (Field) Paths module due to extends
the default functionality of Drupals core File module. A remote attacker
could exploit this vulnerability by guessing the temporary path used
for file upload.
Successful exploitation of this vulnerability could allow an attacker to bypass and manage security restrictions.
2. Remote Code Execution
This
vulnerability exists in the H5P module due to insufficient stop path
traversal. An attacker could exploit this vulnerability with "update h5p
libraries" permission to gain unauthorized access.
Successful exploitation of this vulnerability could allow an attacker to perform remote code execution on the targeted system.
Solution
Apply appropriate updates as mentioned:
Vendor Information
Drupal
References
Drupal
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.