Drupal has patched two Moderately Critical vulnerabilities that affect multiple versions of Drupal Core.
A remote attacker could exploit these vulnerabilities to compromise an affected system.
H5P module
Drupal fixed the “H5P – Create and Share Rich Content and Applications” vulnerability. As a result, the H5P module doesn’t sufficiently stop path traversal attacks through zipped filenames for the uploadable .h5p files.
H5P is used an authoring tool for rich content as well as enabling your Drupal site to import and export H5P files.
Users should upgrade to H5P 7.x-1.51 if running the H5P module.
File (Field) Paths Access bypass
Moreover, Drupal fixed a Moderately critical access bypass vulnerability in File (Field) Paths.
The File (Field) Paths module extends the default functionality of Drupal’s core File module, by adding the ability to use entity-based tokens in destination paths and file names.
“The module’s default configuration could temporarily expose private files to anonymous visitors,” Drupal noted in the advisory.
Users should upgrade to File (Field) Paths 7.x-1.2 if running the File (Field) Paths module for Drupal 7.x.