Localization update - Moderately critical - Insecure server configuration - SA-CONTRIB-2019-072

Project: Localization updateDate: 2019-October-02Security risk: Moderately critical 10∕25 AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Insecure server configurationDescription: This module enables you to automatically download and update the site's interface translation by fetching them from localize.drupal.org or any other Localization server.
The module doesn't sufficiently protect the directory it stores translation files in. It's conventional for directories which may be writeable to be protected by a .htaccess file to prevent malicious PHP files placed within them being executed by the webserver. This vulnerability is mitigated by the fact that an attacker typically wouldn't be able to place a malicious file in the module's storage directory.Solution: Install the latest version:

Also see the Localization update project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2019-072