Arbitrary code execution in Drupal - #VU560

 

Arbitrary code execution in Drupal - #VU560

Published: September 20, 2016


Vulnerability identifier: #VU560
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Drupal
Affected software:
Drupal

Detailed vulnerability description

The vulnerability allows authenticated user to cause arbitary code execution on the target system.
The weakness exists due to validation errors. Attackers can get "post comments" permission and access to more than one input filter that allows them to execute arbitrary code.
Successful exploiatation of the vulnerability leads to arbitrary code execution on the vulnerable system.

Remediation


Sources