Arbitrary code execution in Drupal - #VU556
Published: September 20, 2016
Vulnerability identifier: #VU556
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote user to perform arbitrary code execution on the target server.
The weakness is caused by Drupal installer. Use of visitors' credentials for database in case of lack of site's database inaccessibility leads to arbitary code execution.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
The weakness is caused by Drupal installer. Use of visitors' credentials for database in case of lack of site's database inaccessibility leads to arbitary code execution.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.