Project: 
Date: 
2017-December-20
Vulnerability: 
Arbitrary code execution
Description: 

'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

Solution: 

Install the latest version:

  • If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3
Reported By: 
Fixed By: 
  • Camilo Bravo
  • nohup
  • Michael Hess of the Drupal Security Team
  • Coordinated By: 
  • Michael Hess of the Drupal Security Team