Access bypass in Drupal - #VU489
Published: September 16, 2016
Vulnerability identifier: #VU489
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to get access to downoad files.
The weakness exists due to insufficient input validation and improper name checking that allows other to download specially crafted files.
Successful exploitation of the vulnerability allows non-privileged user to obtain potentially sensitive information.
The weakness exists due to insufficient input validation and improper name checking that allows other to download specially crafted files.
Successful exploitation of the vulnerability allows non-privileged user to obtain potentially sensitive information.
Remediation
Update 5.x to 5.23.
http://ftp.drupal.org/files/projects/drupal-5.23.tar.gz
Update 6.x to 6.18 or 6.19.
http://ftp.drupal.org/files/projects/drupal-6.18.tar.gz
http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz
http://ftp.drupal.org/files/projects/drupal-5.23.tar.gz
Update 6.x to 6.18 or 6.19.
http://ftp.drupal.org/files/projects/drupal-6.18.tar.gz
http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz