- Feeds JSONPath Parser 1.x-1.0.0
Feeds JSONPath Parser has a dependency on the third party Library peekmo/jsonpath or Stefan Goessner's implementation of jsonpath, which when used with data that has not been sanatized allows arbitrary code to be run.
Vulnerabilities are possible if a user has permission to configure a feed, or the feed is configured such that a user with the access to the import form can alter a field mapping.
The latest version changes the dependency from the aforementioned libraries and changes it to flow/jsonpath, which does not require value sanitation for the same functionality.
Upgrade your site to the most recent version of Feeds JSONPath Parser.