me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

Project: me aliases
Date: 2017-December-20
Security risk: *Highly critical* 20∕25
Vulnerability: Arbitrary code execution

Description

'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

Solution

Install the latest version:

If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3: https://www.drupal.org/project/me/releases/7.x-1.3

Add new comment