oss-sec mailing list archives
Re: CVE request: drupal before 7.5 access bypass
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 21 Nov 2011 14:12:36 -0700
On 11/21/2011 10:55 AM, Moritz Muehlenhoff wrote:
On Sun, Nov 20, 2011 at 07:58:47PM -0700, Kurt Seifried wrote:On 11/20/2011 04:14 AM, Hanno Böck wrote:http://drupal.org/node/1231510 If a Drupal site is using these features on comments, and the parent node is denied access (either by a node access module or by being unpublished), the file attached to the comment can still be downloaded by non-privileged users if they know or guess its direct URL.Please use CVE-2011-4323 for this issue.This has already been assigned CVE-2011-2726, see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2726 for details ;-) Cheers, Moritz
Correct. CVE-2011-4323 is a duplicate of CVE-2011-2726. My bad. -- -Kurt Seifried / Red Hat Security Response Team
Current thread:
- CVE request: drupal before 7.5 access bypass Hanno Böck (Nov 20)
- Re: CVE request: drupal before 7.5 access bypass Kurt Seifried (Nov 20)
- Re: CVE request: drupal before 7.5 access bypass Moritz Muehlenhoff (Nov 21)
- Re: CVE request: drupal before 7.5 access bypass Kurt Seifried (Nov 21)
- Re: CVE request: drupal before 7.5 access bypass Moritz Muehlenhoff (Nov 21)
- Re: CVE request: drupal before 7.5 access bypass Kurt Seifried (Nov 20)