H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

Project: H5P - Create and Share Rich Content and ApplicationsDate: 2022-December-14Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: This module enables you to create interactive content.
The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.Solution: Install the latest version:

  • If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.51

Reported By: Disclosed publicly.Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2022-064