#VU667 Access security bypass in Drupal - CVE-2016-7572
Published: September 27, 2016 / Updated: December 5, 2020
Vulnerability identifier: #VU667
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-7572
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Drupal
Drupal
Software vendor:
Drupal
Drupal
Description
The vulnerability allows a remote authenticated user to download configuration export on the target system.
The weakness is caused by improper access control. Via the "system.temporary" route attackers can download the whole config export.
Successful exploitation of the vulnerability may result in downloading of configuration export on the vulnerable system.
The weakness is caused by improper access control. Via the "system.temporary" route attackers can download the whole config export.
Successful exploitation of the vulnerability may result in downloading of configuration export on the vulnerable system.
Remediation
Install update from vendor's website.