Project
Date
Severity
Moderately Critical
Vulnerability
File Path Manipulation via Inconsistent File URI State
Affected versions
<7.x-1.3
Description
The File (Field) Paths module provides functionality for automatically organizing uploaded files into structured directory paths based on configurable patterns in Drupal 7.
The module doesn't properly update file object URIs after file move operations, leaving file objects with inconsistent URI state that references the old location while the actual file exists at the new location.
This vulnerability is mitigated by the requirement for administrative privileges to upload files and configure file paths, and the issue only affects sites using the module's automatic file organization features.
Solution
Install the latest version.
If you use the File (Field) Paths module for Drupal 7, upgrade to File (Field) Paths 7.x-1.3: