PT-2019-8593 · Drupal · Drupal

Greg Knaddison

Published

2017-06-24

Updated

2022-05-13

CVE-2017-6922

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Drupal core versions prior to 8.3.4 Drupal core versions prior to 7.56

Description The issue allows an access bypass, where private files uploaded by an anonymous user are visible to all anonymous users, rather than just the user who uploaded them. This occurs on sites that allow anonymous users to upload files into a private file system.

Recommendations For Drupal core versions prior to 8.3.4, update to version 8.3.4 or later. For Drupal core versions prior to 7.56, update to version 7.56 or later.

Exploit

Fix

Files Accessible to External Parties

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-552

Related Identifiers

CVE-2017-6922

DLA-1004-1

DSA-3897-1

GHSA-58F3-CX8P-H8JG

MGASA-2017-0198

Affected Products

Drupal

PT-2019-8593 · Drupal · Drupal

CVE-2017-6922

Weakness Enumeration

Related Identifiers

Affected Products

References · 23