H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

Project:

H5P - Create and Share Rich Content and Applications

Date:

2022-December-14

Security risk:

Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Remote Code Execution

Description:

This module enables you to create interactive content.

The module doesn't sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "update h5p libraries". In addition, it is only exploitable on Windows servers.

Solution:

Install the latest version:

If you use the H5P module for Drupal 7.x, upgrade to H5P 7.x-1.51

Reported By:

Disclosed publicly.

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter @drupalsecurity or Mastodon drupalsecurity@drupal.community.

Contributing organizations for this advisory

Morris Animal Foundation

H5P - Create and Share Rich Content and Applications - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-064

Contact and more information

Contributing organizations for this advisory

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community