oss-sec mailing list archives
Re: CVE request: drupal before 7.5 access bypass
From: Kurt Seifried <kseifried () redhat com>
Date: Sun, 20 Nov 2011 19:58:47 -0700
On 11/20/2011 04:14 AM, Hanno Böck wrote:
http://drupal.org/node/1231510 If a Drupal site is using these features on comments, and the parent node is denied access (either by a node access module or by being unpublished), the file attached to the comment can still be downloaded by non-privileged users if they know or guess its direct URL.
Please use CVE-2011-4323 for this issue. -- -Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE request: drupal before 7.5 access bypass Hanno Böck (Nov 20)
- Re: CVE request: drupal before 7.5 access bypass Kurt Seifried (Nov 20)
- Re: CVE request: drupal before 7.5 access bypass Moritz Muehlenhoff (Nov 21)
- Re: CVE request: drupal before 7.5 access bypass Kurt Seifried (Nov 21)
- Re: CVE request: drupal before 7.5 access bypass Moritz Muehlenhoff (Nov 21)
- Re: CVE request: drupal before 7.5 access bypass Kurt Seifried (Nov 20)