- File (Field) Paths versions v1.x-1.0.1 and prior
The File (Field) Paths module extends the default functionality of Backdrop's core File module, by adding the ability to use entity-based tokens in destination paths and file names.
The module's default configuration could temporarily expose private files to anonymous visitors.
Important note: to fix the problem, database updates must be run in addition to updating the module.
It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.
This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.
Upgrade your site to the most recent version of the File (Field) Paths module. Download available on the File (Field) Paths 1.x-1.0.2 release page.
- Hayato Goto
- Drew Webber of the Drupal Security Team
- Steve Bink
- Hayato Goto
- David Snopek of the Drupal Security Team
- Vijay Mani provisional member of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Oleh Vehera
- Damien McKenna of the Drupal Security Team
- indigoxela for Backdrop CMS
- David Snopek of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team