- Tablefield 2.5.x versions prior to 2.5.4
The tablefield module allows you to attach tabular data to an entity.
The module doesn't sufficiently determine that the data being unserialized is the contents of a tablefield when users request a CSV export, which could lead to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission 'export tablefield', and be able to insert a payload into an entity's field.
- Drew Webber, Provisional Drupal Security Team Member
- Greg Knaddison of the Drupal Security Team