DRUPAL-CONTRIB-2024-028

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/opigno_module/DRUPAL-CONTRIB-2024-028.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-028

Aliases

CVE-2024-13264

Published

2024-08-07T17:30:20Z

Modified

2025-12-10T23:41:25.650621Z

Summary

[none]

Details

The Opigno module is related to Opigno LMS distribution. It implements the module entity, that is a sub-part of a training.

In the opigno_module module, uploaded files were not sufficiently validated to prevent arbitrary file uploads, which could lead to Remote Code Execution (RCE) and/or Cross Site Scripting (XSS).

This vulnerability is mitigated by the fact that it requires the attacker have a role with the permission "create opigno tincan activities".

References

https://www.drupal.org/sa-contrib-2024-028

Credits

- Marcin Grabias
- - https://www.drupal.org/user/1599440
- catch
- - https://www.drupal.org/user/35733

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/opigno_module

Package

Name: drupal/opigno_module
Purl: pkg:composer/drupal/opigno_module

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.1.2

Database specific

{
    "constraint": "<3.1.2"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/opigno_module/DRUPAL-CONTRIB-2024-028.json"

affected_versions

"<3.1.2"