Vulnerability from drupal
Published
2018-01-10 17:57
Modified
2023-08-11 21:45
Summary
Details

This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets.

The module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class.

This vulnerability is mitigated by the fact that only sites with the Stacks - Content Feed submodule enabled are affected.

Credits
Jean-François Hovinne www.drupal.org/user/77723
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.1.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/stacks"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.1.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/77723"
      ],
      "name": "Jean-Fran\u00e7ois Hovinne"
    }
  ],
  "details": "This module enables content editors to create complex pages and layouts on the fly without the help from a developer, using reusable widgets.\n\nThe module does not sufficiently filter values posted to its AJAX endpoint, which leads to the instantiation of an arbitrary PHP class.\n\nThis vulnerability is mitigated by the fact that only sites with the Stacks - Content Feed submodule enabled are affected.",
  "id": "DRUPAL-CONTRIB-2018-001",
  "modified": "2023-08-11T21:45:33.000Z",
  "published": "2018-01-10T17:57:53.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2018-001"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.