Main Vulnerability Database SB2013010302

SB2013010302 - Access bypass in Drupal Drupal

Published: January 3, 2013 Updated: September 15, 2016

Security Bulletin ID SB2013010302

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Access bypass (CVE-ID: CVE-2012-5652)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to look the uploaded files over.
The weakness exists due to access control error and results in showing of uploaded files in RSS feeds and search results. The vulnerability increases possibility to view the information by users not allowed to read it before.
Successful exploitation of the weakness allows malicious users to obtain uploaded files.

Remediation

Install update from vendor's website.

References

https://www.drupal.org/SA-CORE-2012-004