Project: me aliases
Date: 2017-December-20
Security risk: *Highly critical* 20∕25
Vulnerability: Arbitrary code execution
Description
'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.
The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.
Solution
Install the latest version:
If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3: https://www.drupal.org/project/me/releases/7.x-1.3
Add new comment