D7 Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

Project:

D7 Media

Date:

2018-April-25

Security risk:

Critical 18 ∕ 25 AC:Basic/A:User/CI:All/II:All/E:Theoretical/TD:All

Vulnerability:

Remote Code Execution

Description:

The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site.

The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack.

Solution:

Install the latest version:

If you use the Media module for Drupal 7.x-2.x, upgrade to Media 7.x-2.19

Coordinated By:

Dave Reid the module maintainer and member of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

Lullabot

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

D7 Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community