Access rules bypass in Drupal - #VU537
Published: September 19, 2016
Vulnerability identifier: #VU537
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows users to log in the site if they weren't allowed to do it before.
The weakness exists due to deficiency in the user module that exposes forbidden users ability to log into the site.
Successful exploitation of the vulnerablity results in successful logging into the site by the blocked user.
The weakness exists due to deficiency in the user module that exposes forbidden users ability to log into the site.
Successful exploitation of the vulnerablity results in successful logging into the site by the blocked user.
Remediation
Update 5.x to 5.11.
http://ftp.drupal.org/files/projects/drupal-5.11.tar.gz
Update 6.x to 6.5.
http://ftp.drupal.org/files/projects/drupal-6.5.tar.gz
http://ftp.drupal.org/files/projects/drupal-5.11.tar.gz
Update 6.x to 6.5.
http://ftp.drupal.org/files/projects/drupal-6.5.tar.gz