Project:
Date:
2022-January-25
Vulnerability:
Remote code execution
Affected versions:
<1.3.0 || >=2.0.0 <2.3.0
Description:
This module enables you to automatically scan images uploaded to the site to extract their meta data and store it in taxonomy structures.
The module doesn't sufficiently protect against malicious files being used to attack the site.
This vulnerability is mitigated by the fact that an attacker must have permission to upload images to the site.
Solution:
Install the latest version:
- If you use the Exif module for Drupal 7.x, upgrade to Exif 7.x-1.10.
- If you use the Exif module for Drupal 9.x, upgrade to Exif 8.x-1.3 or Exif 8.x-2.3
Reported By:
Fixed By:
- Patrick Fey
- Drew Webber of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
Coordinated By:
- Michael Hess of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
