Access security bypass in Drupal - CVE-2016-7572
Published: September 27, 2016 / Updated: December 5, 2020
Vulnerability identifier: #VU667
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7572
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote authenticated user to download configuration export on the target system.
The weakness is caused by improper access control. Via the "system.temporary" route attackers can download the whole config export.
Successful exploitation of the vulnerability may result in downloading of configuration export on the vulnerable system.
The weakness is caused by improper access control. Via the "system.temporary" route attackers can download the whole config export.
Successful exploitation of the vulnerability may result in downloading of configuration export on the vulnerable system.
How to mitigate CVE-2016-7572
Install update from vendor's website.