Critical Arbitrary PHP Code Execution in Drupal’s Opigno LMS packages

Imechapishwa: Aug 16, 2024 19:00

Advisory No: TZCERT-SA-24-0021

Source: Opigno LMS packages

Software Affected: Opigno LMS packages

Overview

Opigno LMS packages in Drupal CMS are vulnerable to arbitrary code execution vulnerabilities. The attacker can leverage the vulnerabilities to take control of the affected system.

Description

Opigno Learning path, Opigno_module, and Opigno group manager running in Drupal CMS are affected by arbitrary PHP code execution vulnerabilities resulting from the permissions misconfiguration in administration form allowing execution of arbitrary code. The vulnerabilities allow the attacker to upload malicious files which may contain arbitrary code (RCE) or cross-site scripting (XSS).

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected device.

Solution

Drupal has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Ripoti Tukio