Overview

Opigno LMS packages in Drupal CMS are vulnerable to arbitrary code execution vulnerabilities. The attacker can leverage the vulnerabilities to take control of the affected system.

Description

Opigno Learning path, Opigno_module, and Opigno group manager running in Drupal CMS are affected by arbitrary PHP code execution vulnerabilities resulting from the permissions misconfiguration in administration form allowing execution of arbitrary code. The vulnerabilities allow the attacker to upload malicious files which may contain arbitrary code (RCE) or cross-site scripting (XSS).

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected device.

Solution

Drupal has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.drupal.org/sa-contrib-2024-029
• 2. https://www.drupal.org/sa-contrib-2024-028
• 3. https://www.drupal.org/sa-contrib-2024-027