Vulnerability from drupal
Published
2024-08-07 17:19
Modified
2025-02-20 19:12
Summary
Details

The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one.

An administration form allows execution of arbitrary code.

This issue is mitigated by several factors. First, it requires the attacker have the permission "update group learning_path". Additionally, it requires several steps and depends on other data in the system to be in place.

Credits
Marcin Grabias www.drupal.org/user/1599440
catch www.drupal.org/user/35733
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c3.1.1"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/opigno_group_manager"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c3.1.1"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2024-13263"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/1599440"
      ],
      "name": "Marcin Grabias"
    },
    {
      "contact": [
        "https://www.drupal.org/user/35733"
      ],
      "name": "catch"
    }
  ],
  "details": "The Opigno group manager project is related to Opigno LMS distribution. It allows to build the contents of learning paths, by combining together modules, courses, and other activities, ordering them, and defining conditional rules for the transitions from one step to the next one.\n\nAn administration form allows execution of arbitrary code.\n\nThis issue is mitigated by several factors. First, it requires the attacker have the permission \"update group learning\\_path\". Additionally, it requires several steps and depends on other data in the system to be in place.",
  "id": "DRUPAL-CONTRIB-2024-027",
  "modified": "2025-02-20T19:12:37.000Z",
  "published": "2024-08-07T17:19:30.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-027"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.