Main Vulnerability Database Vulnerabilities #VU40008

Information disclosure in Drupal - CVE-2016-9449

Published: November 25, 2016 / Updated: August 9, 2020

Vulnerability identifier: #VU40008

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-9449

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Drupal

Affected software:
Drupal

Detailed vulnerability description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The taxonomy module in Drupal 7.x before 7.52 and 8.x before 8.2.3 might allow remote authenticated users to obtain sensitive information about taxonomy terms by leveraging inconsistent naming of access query tags.

How to mitigate CVE-2016-9449

Install update from vendor's website.

Sources

http://www.debian.org/security/2016/dsa-3718
http://www.securityfocus.com/bid/94367
https://www.drupal.org/SA-CORE-2016-005

Information disclosure in Drupal - CVE-2016-9449

Detailed vulnerability description

How to mitigate CVE-2016-9449

Sources

Please verify you're human