#VU6108 Improper access control in Drupal - CVE-2017-6377
Published: March 17, 2017
Vulnerability identifier: #VU6108
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-6377
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Drupal
Drupal
Software vendor:
Drupal
Drupal
Description
The vulnerability allows a remote attacker to access potentially sensitive information.
The vulnerability exists due to incorrect permissions assigned for uploaded private files using a configured text editor (like CKEditor). The editor does not correctly check access for the file being attached, which can lead to disclosure of private files.
The vulnerability exists due to incorrect permissions assigned for uploaded private files using a configured text editor (like CKEditor). The editor does not correctly check access for the file being attached, which can lead to disclosure of private files.
Remediation
Update to version 8.2.7.