File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040
Project: File Entity (fieldable files)Date: 2024-September-11Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureDescription: This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data.
The module doesn't sufficiently ensure private destination folders exist prior to writing to them. If the folder doesn't exist, the module places the file in a publicly accessible directory.
This vulnerability only affects sites with private files.Solution: Install the latest version:
- If you use the file_entity module for Drupal 7, upgrade to file_entity 7.x-2.39 or newer.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team