Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037

Project:

Video

Date:

2019-March-13

Security risk:

Critical 19∕25 AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:All

Vulnerability:

Remote Code Execution

Description:

This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats.

The module doesn't sufficiently sanitize some user input on administrative forms.

Solution:

If you use the Video module for Drupal 7.x, upgrade to Video 7.x-2.14

Also see the Video project page

Note that the Drupal 8 version of this module is unaffected.

Reported By:

Samuel Mortenson of the Drupal Security Team

Fixed By:

Michael Hess of the Drupal Security Team
Jorrit Schippers
Samuel Mortenson of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Coordinated By:

Michael Hess of the Drupal Security Team

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter @drupalsecurity or Mastodon drupalsecurity@drupal.community.

Contributing organizations for this advisory

nCode

Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037

Contact and more information

Contributing organizations for this advisory

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community