Access bypass in Drupal - #VU455
Published: September 15, 2016
Vulnerability identifier: #VU455
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote user to bypass security mechanisms.
The weakness exists due to access control error. Invalid tokens confessed to be TRUE helps attacker to bypass access control on the target system.
Successful exploitation of the vulnerability will allow a malicious user to bypass access control on the vulnerable system.
The weakness exists due to access control error. Invalid tokens confessed to be TRUE helps attacker to bypass access control on the target system.
Successful exploitation of the vulnerability will allow a malicious user to bypass access control on the vulnerable system.
Remediation
Update 6.x to 6.29.
https://www.drupal.org/drupal-6.29-release-notes
Update 7.x to 7.24.
https://www.drupal.org/drupal-7.24-release-notes
https://www.drupal.org/drupal-6.29-release-notes
Update 7.x to 7.24.
https://www.drupal.org/drupal-7.24-release-notes