File (Field) Paths - Moderately critical - Access bypass - SA-CONTRIB-2022-065

Project: File (Field) PathsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.
The module's default configuration could temporarily expose private files to anonymous visitors.
Important note: to fix the problem, database updates must be run in addition to updating the module.
It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.
This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.Solution: Install the latest version:

Reported By: 

Fixed By: 

Coordinated By: 

Path to article