Advisory ID: DRUPAL-SA-CONTRIB-2016-039
Project: Coder (third-party module)
Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: Arbitrary PHP code execution
The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.
The module doesn’t sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.
There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Coder module 7.x-1.x versions prior to 7.x-1.3.
Coder module 7.x-2.x versions prior to 7.x-2.6.
Drupal core is not affected. If you do not use the contributed Coder module,
Original URL: https://www.drupal.org/node/2765575