Privilege Escalation in Drupal - #VU541
Published: September 19, 2016
Vulnerability identifier: #VU541
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows users with the "upload files" permission to get elevated privileges on the target system.
The weakness is caused by Upload module that supports a malicious user with increased privileges and permissions to perform activity forbidden before: to edit nodes, delete files or download nodes attachments.
Successful exploitation of the vulnerability allows users to enlarge own privileges and access functionality.
The weakness is caused by Upload module that supports a malicious user with increased privileges and permissions to perform activity forbidden before: to edit nodes, delete files or download nodes attachments.
Successful exploitation of the vulnerability allows users to enlarge own privileges and access functionality.