Project: File (Field) Paths
Security risk: *Critical* 15∕25
Vulnerability: Remote Code Execution
This module enables you to automatically sort and rename your uploaded files
using token based replacement patterns to maintain a nice clean filesystem.
The module doesn't sufficiently sanitize the path while a new file is
uploading, allowing a remote attacker to execute arbitrary PHP code.
This vulnerability is mitigated by the fact that an attacker must have access
to a form containing a widget processed by this module.
Install the latest version:
* If you use the filefield_paths module for Drupal 7.x, upgrade to filefield_paths 7.x-1.1