Re: CVE request: drupal before 7.5 access bypass

[Kurt Seifried <kseifried () redhat com>]

On 11/20/2011 04:14 AM, Hanno Böck wrote:
> http://drupal.org/node/1231510
>
> If a Drupal site is using these features on comments, and the parent
> node is denied access (either by a node access module or by being
> unpublished), the file attached to the comment can still be downloaded
> by non-privileged users if they know or guess its direct URL.

Please use CVE-2011-4323 for this issue.

-- 

-Kurt Seifried / Red Hat Security Response Team