me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

Project: me aliasesDate: 2017-December-20Security risk: Highly critical 20∕25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary code executionDescription: 

'me' module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

The way 'me' module handles URL arguments allows an attacker to execute arbitrary code strings.

Solution: 

Install the latest version:

  • If you use the 'me' module for Drupal 7.x, upgrade to 'me' 7.x-1.3

Reported By: 

  • ross.linscott
  • Fixed By: 

  • Camilo Bravo
  • nohup
  • Michael Hess of the Drupal Security Team
  • Coordinated By: 

  • Michael Hess of the Drupal Security Team