Lucene search

K
drupalDrupal Security TeamDRUPAL-SA-CONTRIB-2023-053
HistoryNov 29, 2023 - 12:00 a.m.

Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053

2023-11-2900:00:00
Drupal Security Team
www.drupal.org
13
xsendfile module
private files transfer
drupal
imagestyledownloadcontroller
vulnerability
sa-core-2023-005

AI Score

7

Confidence

Low

The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController.

Affected configurations

Vulners
Node
drupalxsendfileRange<8.x-1.2.
VendorProductVersionCPE
drupalxsendfile*cpe:2.3:a:drupal:xsendfile:*:*:*:*:*:*:*:*

AI Score

7

Confidence

Low