CVE-2022-40341 The v2.7 of the MojoPortal plugin contains an upload vulnerability which allows attackers to execute arbitrary code.

This issue is related to the lack of sanitization of user-supplied input in the v2.7 version of the Drupal installation. An attacker can upload a malicious image, persuade a victim to click on it, and compromise the site’s database. Note that this type of attack is often referred to as a file upload exploit. The attacker can also craft a malicious image file to steal the session cookie which can be used to gain access to the site in the future. An attacker can also enter a victim’s email address to craft a malicious image file to steal the email address. Notably, the Drupal installation is version 2.7 in the v2.7 version of the MojoPortal portal. This issue affects any Drupal 7 website running the MojoPortal v2.7 version. It may be possible for an attacker to gain access to a victim’s site by stealing a session cookie or via email address validation.

Vulnerability Overview

The Drupal installation is vulnerable to a file-upload attack. Typically, an attacker will upload a malicious image file to the website, persuade a victim to click on it, and take control of the site’s database. The attacker can also craft a malicious image file and steal the email address from a victim. Vulnerabilities like this are often referred to as file upload exploits when they target Drupal websites that use the MojoPortal module. This issue affects any Drupal 7 website running the MojoPortal v2.7 version. It may be possible for an attacker to gain access to a victim’s site by stealing a session cookie or via email address validation.

Vulnerability overview

The issue is related to the lack of sanitization of user-supplied input in the v2.7 version of the Drupal installation. An attacker can upload an image, persuade a victim to click on it, and compromise the site’s database. The attack is often referred to as a file upload exploit.
An attacker can also craft a malicious image file to steal the session cookie which can be used to gain access to the site in the future. Additionally, an attacker can enter a victim’s email address to craft a malicious image file to steal their email address.
This issue affects any Drupal 7 website running the MojoPortal v2.7 version.

Timeline

Published on: 09/30/2022 19:15:00 UTC
Last modified on: 10/05/2022 15:50:00 UTC

References

• http://mojoportal.com
• https://weed-1.gitbook.io/cve/mojoportal/upload-malicious-file-in-mojoportal-v2.7-cve-2022-40341
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40341