Description
The Image Editor module provides integration with external online editing services (PicMonkey, Pixlr Editor, Pixlr Express, and Inline Editor) that redirect the browser back to a Drupal callback endpoint with a URL parameter pointing to the newly edited image for the server to fetch and save.
The save callbacks accepted the URL parameter directly from "$_GET" or "$_POST" and issued server-side HTTP requests without any restriction on the destination host or scheme. An attacker could supply a crafted URL pointing to internal hosts or non-HTTP schemes, causing the server to probe or read from internal resources.
This vulnerability is mitigated by the fact that exploiting it requires an authenticated user account with the "use imageeditor" permission.
Solution
Install the latest version.
If you use the Image Editor module for Drupal 7, upgrade to imageeditor 7.x-1.13:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES