"Ricochet has been invaluable in taking our website to the next level. Throughout the development process, they met every need and were able to find creative solutions for every curveball we threw at them. Their knowledge of the latest web technologies, professionalism, and responsiveness brought everything together for us. I can highly recommend Ricochet Consulting to anyone looking to surge past their competition."
—Scott M. Wayne,

Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063

Wed, 2024-11-20 11:11 — Anonymous (not verified)

Project: EloquaDate: 2024-November-20Security risk: Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Arbitrary PHP code executionDescription: This module integrates webforms with eloqua, an automated marketing and demand generation software built to improve the quality and quantity of customers' sales leads and streamline their sales processes.
In certain cases the module doesn't sufficiently sanitize data before passing it to PHP's unserialize() function, which could result in Remote Code Execution via PHP Object Injection.
This vulnerability is mitigated by the fact that an attack must operate with the permission "access administration pages", however this could be the case if this issue were combined with others in an "attack chain".Solution: Install the latest version:

If you use the Eloqua module for Drupal 7.x, upgrade to Eloqua 7.x-1.15

Reported By:

Drew Webber of the Drupal Security Team

Fixed By:

Albert Volkman

Coordinated By:

Greg Knaddison of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2024-063

Search form

Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063