Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drupal Opigno module allows PHP Local File Inclusion.This issue affects Opigno module: from 0.0.0 before 3.1.2.
The Opigno module improperly neutralizes directives in statically written code (CWE-96), which allows embedding malicious PHP directives in files saved by the application. Subsequently, an attacker can cause these files to be loaded and executed by the PHP interpreter through a Local File Inclusion mechanism. The attack requires no authentication or user interaction, and the vector is network-based with low complexity.
An attacker can execute arbitrary PHP code on the server, leading to complete takeover of the application and server, data theft, content modification, and potential lateral movement within the infrastructure.
The Opigno module should be updated to version 3.1.2 or later. Detailed information is available in the official Drupal security bulletin at https://www.drupal.org/sa-contrib-2024-028
Drupal Opigno Module in all versions from 0.0.0 to versions earlier than 3.1.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpigno Module
APPOpigno< 3.1.2
Related vulnerabilities
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drup...
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drup...
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drup...
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability in Drup...