TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045

Project:

TableField

Date:

2019-April-17

Security risk:

Critical 16 ∕ 25 AC:Complex/A:User/CI:All/II:All/E:Theoretical/TD:Default

Vulnerability:

Remote Code Execution

Description:

This module allows you to attach tabular data to an entity.

The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.

Solution:

Install the latest version:

If you use the Tablefield module 7.x-3.x branch for Drupal 7.x, upgrade to tablefield 7.x-3.4

Reported By:

Drew Webber Provisional Security Team Member

Fixed By:

Drew Webber Provisional Security Team Member
Martin Postma
Jen Lampton

Coordinated By:

Greg Knaddison of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

TableField - Critical - Remote Code Execution - SA-CONTRIB-2019-045

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community