DRUPAL-CONTRIB-2023-053

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/xsendfile/DRUPAL-CONTRIB-2023-053.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-053

Published

2023-11-29T15:27:05Z

Modified

2025-12-10T23:33:26.088134Z

Summary

[none]

Details

The Xsendfile module enables fast transfer for private files in Drupal.

In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController.

References

https://www.drupal.org/sa-contrib-2023-053

Credits

- Pierre Rudloff
- - https://www.drupal.org/user/3611858

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/xsendfile

Package

Name: drupal/xsendfile
Purl: pkg:composer/drupal/xsendfile

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.0

Database specific

{
    "constraint": "<1.2.0"
}

Database specific

affected_versions

"<1.2.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/xsendfile/DRUPAL-CONTRIB-2023-053.json"