DRUPAL-CONTRIB-2024-029

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/opigno_learning_path/DRUPAL-CONTRIB-2024-029.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-029

Aliases

CVE-2024-13265

Published

2024-08-07T17:36:15Z

Modified

2025-12-10T23:41:33.347618Z

Summary

[none]

Details

The Opigno Learning Path module enables you to manage group content.

Administrative forms allow uploading malicious files which may contain arbitrary code (RCE) or cross site scriptiong (XSS). These forms were not adequately controlled with permissions that communicate the severity of the permission.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Manage group content in any group".

References

https://www.drupal.org/sa-contrib-2024-029

Credits

- Marcin Grabias
- - https://www.drupal.org/user/1599440
- catch
- - https://www.drupal.org/user/35733

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/opigno_learning_path

Package

Name: drupal/opigno_learning_path
Purl: pkg:composer/drupal/opigno_learning_path

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.1.2

Database specific

{
    "constraint": "<3.1.2"
}

Database specific

affected_versions

"<3.1.2"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/opigno_learning_path/DRUPAL-CONTRIB-2024-029.json"