File Entity (fieldable files) - Moderately critical - Information Disclosure - SA-CONTRIB-2024-040

Project: File Entity (fieldable files)Date: 2024-September-11Security risk: Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Information DisclosureDescription: This module enables you to store and manage both private and public files, provides the ability to add fieldable metadata for file_entity bundle types in addition to core file_managed data.
The module doesn't sufficiently ensure private destination folders exist prior to writing to them. If the folder doesn't exist, the module places the file in a publicly accessible directory.
This vulnerability only affects sites with private files.Solution: Install the latest version:

Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2024-040