* Advisory ID: DRUPAL-SA-CONTRIB-2017-044
* Project: Media (third-party module)
* Version: 7.x
* Date: 2017-May-10
* Security risk: 16/25 ( Critical)
* Vulnerability: Information Disclosure, Arbitrary PHP code execution,
This module provides intuitive ways to manage large libraries of media,
insert or display or import various types of media either through fields or a
Versions of this module prior to 7.x-2.1 or 7.x-3.0-alpha5 did not
sufficiently whitelist input parameters for the media browser.
This vulnerability in the versions of media prior to those aforementioned is
mitigated by the fact that an attacker must have a role with the permission
upload files and view media browser.
Install the latest version:
* If you use the media module, it is recommended to upgrade to media
7.x-2.1 (stable) or to 7.x-3.0-alpha5 (cutting edge) or newer.
Also see the Media project page: https://www.drupal.org/project/media