Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-October-13
Vulnerability:
XML External Entity (XXE) Processing
Affected versions:
<1.4.0
Description:
This module enables aklump/loft_data_grids to be used as a Drupal module.
Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: [CVE-2018-19277]: PHPOffice/PhpSpreadsheet#771. Excel support has since been replaced with the newer https://github.com/PHPOffice/PhpSpreadsheet library.
This module provides an API and This vulnerability is not exploitable in the module itself. This vulnerability only exists if custom code or another module uses the API of this module to read a spreadsheet.
Solution:
Upgraded to the the latest version.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
