DRUPAL-CONTRIB-2024-060

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/postfile/DRUPAL-CONTRIB-2024-060.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-060

Aliases

CVE-2024-13294

Published

2024-11-13T17:37:36Z

Modified

2025-12-10T23:41:26.431616Z

Summary

[none]

Details

The module creates an endpoint on the site at /postfile/upload that accepts a POST request for uploading a single file into a specified file system (public, private, etc).

This module accepts any uploaded file extension, including dangerous file formats so it can be used to bypass the allow_insecure_uploads config.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "postfile upload".

References

https://www.drupal.org/sa-contrib-2024-060

Credits

- Pierre Rudloff
- - https://www.drupal.org/user/3611858

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/postfile

Package

Name: drupal/postfile
Purl: pkg:composer/drupal/postfile

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.2

Database specific

{
    "constraint": "<1.0.2"
}

Database specific

affected_versions

"<1.0.2"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/postfile/DRUPAL-CONTRIB-2024-060.json"