In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the “private” file system. However, some contributed modules provide additional file systems, or schemes, which may lead to this vulnerability. This vulnerability is mitigated by the fact that it only applies when the site sets (Drupal 9) $config[‘image.settings’][‘allow_insecure_derivatives’] or (Drupal 7) $conf[‘image_allow_insecure_derivatives’] to TRUE. The recommended and default setting is FALSE, and Drupal core does not provide a way to change that in the admin UI. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing files or image styles after updating.
More Stories
ArcaneDoor Attack (CVE-2024-20353 and CVE-2024-20359)
What is the Attack? Cisco issued an advisory on 24th April, regarding its Adaptive Security Appliances, multifunctional devices combining firewall,...
USN-6657-2: Dnsmasq vulnerabilities
USN-6657-1 fixed several vulnerabilities in Dnsmasq. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS....
Defense in depth — the Microsoft way (part 87): shipping more rotten software to billions of unsuspecting customers
Posted by Stefan Kanthak on Apr 24 Hi @ll, this post is a continuation of <https://seclists.org/fulldisclosure/2023/Oct/17> and <https://seclists.org/fulldisclosure/2021/Oct/17> With the...
Response to CVE-2023-26756 – Revive Adserver
Posted by Matteo Beccati on Apr 24 CVE-2023-26756 has been recently filed against the Revive Adserver project. The action was...
USN-6749-1: FreeRDP vulnerabilities
It was discovered that FreeRDP incorrectly handled certain context resets. If a user were tricked into connecting to a malicious...
libcoap-4.3.4a-2.fc40
FEDORA-2024-75863445ff Packages in this update: libcoap-4.3.4a-2.fc40 Update description: Patch to fix CVE-2024-31031 Read More