DRUPAL-CONTRIB-2024-027

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/opigno_group_manager/DRUPAL-CONTRIB-2024-027.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-027

Aliases

CVE-2024-13263

Published

2024-08-07T17:19:30Z

Modified

2025-12-10T23:41:25.838199Z

Summary

[none]

Details

The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one.

An administration form allows execution of arbitrary code.

This issue is mitigated by several factors. First, it requires the attacker have the permission "update group learning_path". Additionally, it requires several steps and depends on other data in the system to be in place.

References

https://www.drupal.org/sa-contrib-2024-027

Credits

- Marcin Grabias
- - https://www.drupal.org/user/1599440
- catch
- - https://www.drupal.org/user/35733

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/opigno_group_manager

Package

Name: drupal/opigno_group_manager
Purl: pkg:composer/drupal/opigno_group_manager

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.1.1

Database specific

{
    "constraint": "<3.1.1"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/opigno_group_manager/DRUPAL-CONTRIB-2024-027.json"

affected_versions

"<3.1.1"