Opigno - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-032
Project: OpignoDate: 2024-August-21Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: The Opigno module is related to Opigno LMS distribution. Opigno Scorm submodule exposes an API for extracting and handling SCORM packages.
Uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).
This vulnerability is mitigated by the fact that it affected only specific activity types.Solution: Install the latest version:
- If you use the opigno module, upgrade to opigno 7.x-1.23
Reported By:
- Yurii Boichenko
- Marcin Grabias
- catch of the Drupal Security Team
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team