Opigno Learning path - Critical - Arbitrary PHP code execution - SA-CONTRIB-2024-029

Project: Opigno Learning pathDate: 2024-August-07Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionAffected versions: <3.1.2Description: The Opigno Learning Path module enables you to manage group content.
Administrative forms allow uploading malicious files which may contain arbitrary code (RCE) or cross site scriptiong (XSS). These forms were not adequately controlled with permissions that communicate the severity of the permission.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Manage group content in any group".Solution: Install the latest version:

Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2024-029