Search API attachments - Critical - Arbitrary PHP code execution - SA-CONTRIB-2021-034

Project: Search API attachmentsDate: 2021-September-22Security risk: Critical 15∕25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Arbitrary PHP code executionDescription: This module enables you to extract the textual content of files for use on a website, e.g. to display it or or use it in search indexes.
The module doesn't sufficiently protect the administrator-defined commands which are executed on the server, which leads to post-authentication remote code execution by a limited set of users.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search_api". Sites are encouraged to review which roles have that permission and which users have that role, to ensure that only trusted users have that permission.Solution: Install the latest version:

The 8.x branch does not have Security Coverage.Reported By: 

Fixed By: 

Coordinated By: 

Path to article