Описание
Drupal editor module incorrectly checks access to inline private files
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-6377
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6377.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6377.yaml
- https://www.drupal.org/SA-2017-001
- http://www.securityfocus.com/bid/96919
- http://www.securitytracker.com/id/1038058
Пакеты
Наименование
drupal/core
composer
Затронутые версииВерсия исправления
>= 8.2.0, < 8.2.7
8.2.7
Наименование
drupal/drupal
composer
Затронутые версииВерсия исправления
>= 8.2.0, < 8.2.7
8.2.7
Связанные уязвимости
CVSS3: 7.5
ubuntu
больше 8 лет назад
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
CVSS3: 7.5
nvd
больше 8 лет назад
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
CVSS3: 7.5
debian
больше 8 лет назад
When adding a private file via the editor in Drupal 8.2.x before 8.2.7 ...