Advisory No: TZCERT/SA/2024/08/09-2
Date of First Release: 09th August 2024
Source: Drupal
Software Affected: Opigno LMS packages
Overview:
Opigno LMS packages in Drupal CMS are vulnerable to arbitrary code execution vulnerabilities. The attacker can leverage the vulnerabilities to take control of the affected system.
Description:
Opigno Learning path, Opigno_module, and Opigno group manager running in Drupal CMS are affected by arbitrary PHP code execution vulnerabilities resulting from the permissions misconfiguration in administration form allowing execution of arbitrary code.
The vulnerabilities allow the attacker to upload malicious files which may contain arbitrary code (RCE) or cross-site scripting (XSS).
Impact:
Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected device.
Solution:
Drupal has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
References:
- https://www.drupal.org/sa-contrib-2024-029
- https://www.drupal.org/sa-contrib-2024-028
- https://www.drupal.org/sa-contrib-2024-027