Improper access control in Drupal - CVE-2017-6377
Published: March 17, 2017
Vulnerability identifier: #VU6108
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-6377
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote attacker to access potentially sensitive information.
The vulnerability exists due to incorrect permissions assigned for uploaded private files using a configured text editor (like CKEditor). The editor does not correctly check access for the file being attached, which can lead to disclosure of private files.
The vulnerability exists due to incorrect permissions assigned for uploaded private files using a configured text editor (like CKEditor). The editor does not correctly check access for the file being attached, which can lead to disclosure of private files.
How to mitigate CVE-2017-6377
Update to version 8.2.7.