Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043

Project: Loft Data Grids
Date: 2021-October-13
Security risk: Moderately critical 11∕25
Vulnerability: XML External Entity (XXE) Processing

Description

This module enables aklump/loft_data_grids to be used as a Drupal module.

Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: [CVE-2018-19277]: PHPOffice/PhpSpreadsheet#771. Excel support has since been replaced with the newer https://github.com/PHPOffice/PhpSpreadsheet library.

This module provides an API and This vulnerability is not exploitable in the module itself. This vulnerability only exists if custom code or another module uses the API of this module to read a spreadsheet.

Solution

Upgraded to the the latest version.

https://www.drupal.org/project/loft_data_grids/releases/7.x-2.4
https://www.drupal.org/project/loft_data_grids/releases/8.x-1.4

Drupal · Security

Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043

Description

Solution

We value your opinion. Please add your feedback.