Critical Arbitrary PHP Code Execution in Drupal’s Opigno LMS packages

Advisory No: TZCERT/SA/2024/08/09-2

Date of First Release: 09^th August 2024

Source: Drupal

Software Affected: Opigno LMS packages

Overview:

Opigno LMS packages in Drupal CMS are vulnerable to arbitrary code execution vulnerabilities. The attacker can leverage the vulnerabilities to take control of the affected system.

Description:

Opigno Learning path, Opigno_module, and Opigno group manager running in Drupal CMS are affected by arbitrary PHP code execution vulnerabilities resulting from the permissions misconfiguration in administration form allowing execution of arbitrary code.

The vulnerabilities allow the attacker to upload malicious files which may contain arbitrary code (RCE) or cross-site scripting (XSS).

Impact:

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected device.

Solution:

Drupal has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://www.drupal.org/sa-contrib-2024-029
2. https://www.drupal.org/sa-contrib-2024-028
3. https://www.drupal.org/sa-contrib-2024-027