Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043

Джерело:
Security advisories for contributed projects

Дата публікації:
13/10/2021 19:32

Постійна адреса новини:
http://www.vsinovyny.com/8323683

Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043

13/10/2021 19:32 // Security advisories for contributed projects

Project:

Loft Data Grids

Date:

2021-October-13

Security risk:

Moderately critical 11∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Proof/TD:Uncommon

Vulnerability:

XML External Entity (XXE) Processing

Description:

This module enables aklump/loft_data_grids to be used as a Drupal module.

Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: [CVE-2018-19277]: PHPOffice/PhpSpreadsheet#771. Excel support has since been replaced with the newer https://github.com/PHPOffice/PhpSpreadsheet library.

This module provides an API and This vulnerability is not exploitable in the module itself. This vulnerability only exists if custom code or another module uses the API of this module to read a spreadsheet.

Solution:

Upgraded to the the latest version.

Reported By:

Lucas Hedding

Fixed By:

Aaron Klump

Coordinated By:

Greg Knaddison of the Drupal Security Team
Michael Hess of the Drupal Security Team

» Читати повністю

«	Наступна новина з архіву Canonical Presence at KubeCon + CloudNativeCon NA: Keynote by Founder/CEO Mark Shuttleworth, Announcement of Ubuntu 12.10 Beta, and Operator Day	Попередня новина з архіву Потенційний канцлер Німеччини Шольц розраховує на новий уряд до Різдва	»