CVE-2011-2726 — Incorrect Authorization in Drupal

CWE-863 — Incorrect Authorization2 documents2 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 39.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Drupal Core Debian Linux +2 more

Timeline

PublishedNov 15

Latest updateApr 22

Description

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDdrupal/drupal7.0 — 7.5

▶CVEListV5drupal_core/drupal_core7.x before version 7.5

Also affects: Debian Linux 8.0, 9.0, Fedora 14, 15, 16, Enterprise Linux 5.0, 6.0

🔴Vulnerability Details

GHSA

GHSA-ph8m-2h2f-qgr2: An access bypass issue was found in Drupal 7↗2022-04-22

▶