TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045

Project: TableFieldDate: 2019-April-17Security risk: Critical 16∕25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code ExecutionDescription: This module allows you to attach tabular data to an entity.
The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.Solution: Install the latest version:

  • If you use the Tablefield module 7.x-3.x branch for Drupal 7.x, upgrade to tablefield 7.x-3.4

Reported By: 

Fixed By: 

Coordinated By: 

Path to article