PT-2020-13650 · Drupal · Drupal Core

Published

2020-09-16

Updated

2024-03-06

CVE-2020-13670

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Drupal Core versions prior to 8.8.10 Drupal Core versions prior to 8.9.6 Drupal Core versions prior to 9.0.6

Description The issue allows an attacker to gain access to the file metadata of a permanent private file by guessing the ID of the file. This is an Information Disclosure issue in the file module of Drupal Core.

Recommendations For versions prior to 8.8.10, update to version 8.8.10 or later. For versions prior to 8.9.6, update to version 8.9.6 or later. For versions prior to 9.0.6, update to version 9.0.6 or later.

Exploit

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-668

Related Identifiers

BIT-DRUPAL-2020-13670

CVE-2020-13670

DRUPAL-CORE-2020-011

GHSA-MMJR-5Q74-P3M4

Affected Products

Drupal Core

PT-2020-13650 · Drupal · Drupal Core

CVE-2020-13670

Weakness Enumeration

Related Identifiers

Affected Products

References · 13