Main Vulnerability Database SB2012111101

SB2012111101 - Arbitrary PHP code execution in Drupal Drupal

Published: November 11, 2012 Updated: March 14, 2017

Security Bulletin ID SB2012111101

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Arbitrary PHP code execution (CVE-ID: CVE-2012-4553)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote user to cause arbitrary code execution on the original server.
The weakness is caused by identification of bug in the installer code. By using external database attacker can reinstall Drupal and cause arbitrary PHP code execution.
Successful exploitation of the vulnerability allows a malicious user to trigger arbitary code execution on the vunerable server.

Remediation

Install update from vendor's website.

References

https://www.drupal.org/SA-CORE-2012-003