The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.
The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.
As this is an API module, it is only exploitable if a "client" module exposes the vulnerability. Examples of some contributed client modules are given below. Custom modules using ACL could also expose the vulnerability.
This vulnerability is mitigated by the fact that an attacker typically needs an "admin"-type permission provided by one of ACL's client modules.
Known client modules include:
- Forum Access
- Content Access
- Flexi Access (Drupal only)
Coordinated Security Advisories are being released for those client modules that have Security coverage.
- ACL versions prior to 1.x-1.4.0