SB2016091918 - Arbitrary file uploads via BlogAPI in Drupal Drupal

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016091918

SB2016091918 - Arbitrary file uploads via BlogAPI in Drupal Drupal

Published: September 19, 2016 Updated: February 17, 2017

Security Bulletin ID SB2016091918
Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Arbitrary file uploads via BlogAPI (CVE-ID: N/A)

The vulnerability allows a remote user to download harmful files to compromise the target system.
The weaness is caused by improper validation of uploaded files extension by BlogAPI module that allows attackers to insert certain files or data.
Successful exploitation of the vulnerability may result in malicious files uploading and vulnerable system compromising.

Remediation

Install update from vendor's website.

References