CVE-2016-3162
published 2016-04-12CVE-2016-3162: The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute…
PriorityP346high8.1CVSS 3.0
AVNACLPRLUINSUCHIHAN
EPSS
1.59%
72.6th percentile
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
Affected
52 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| drupal | core | >= 7.0 < 7.43 | 7.43 |
| drupal | core | >= 8.0 < 8.0.4 | 8.0.4 |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
| drupal | drupal | — | — |
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Drupal File upload access bypass and denial of service
osv·2022-05-17
CVE-2016-3162 [HIGH] Drupal File upload access bypass and denial of service
Drupal File upload access bypass and denial of service
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
GHSA
Drupal File upload access bypass and denial of service
ghsa·2022-05-17
CVE-2016-3162 [HIGH] CWE-284 Drupal File upload access bypass and denial of service
Drupal File upload access bypass and denial of service
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
OSV
CVE-2016-3162: The File module in Drupal 7
osv·2016-04-12·CVSS 8.1
CVE-2016-3162 [HIGH] CVE-2016-3162: The File module in Drupal 7
The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-3162 drupal7: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [fedora-all]
bugzilla·2016-02-26·CVSS 8.1
CVE-2016-3162 [HIGH] CVE-2016-3162 drupal7: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [fedora-all]
CVE-2016-3162 drupal7: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2016-3162 drupal7: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [epel-all]
bugzilla·2016-02-26·CVSS 8.1
CVE-2016-3162 [HIGH] CVE-2016-3162 drupal7: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [epel-all]
CVE-2016-3162 drupal7: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
Bugzilla
CVE-2016-3162 CVE-2016-3163 CVE-2016-3164 CVE-2016-3165 CVE-2016-3166 CVE-2016-3167 CVE-2016-3168 CVE-2016-3169 CVE-2016-3170 CVE-2016-3171 drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-
bugzilla·2016-02-26·CVSS 8.1
CVE-2016-3162 [HIGH] CVE-2016-3162 CVE-2016-3163 CVE-2016-3164 CVE-2016-3165 CVE-2016-3166 CVE-2016-3167 CVE-2016-3168 CVE-2016-3169 CVE-2016-3170 CVE-2016-3171 drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-
CVE-2016-3162 CVE-2016-3163 CVE-2016-3164 CVE-2016-3165 CVE-2016-3166 CVE-2016-3167 CVE-2016-3168 CVE-2016-3169 CVE-2016-3170 CVE-2016-3171 drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001)
Several issues were fixed in Drupal 7.43 and Drupal 6.38 core modules:
External references:
https://www.drupal.org/SA-CORE-2016-001
Discussion:
Created drupal7 tracking bugs for this issue:
Affects: fedora-all [bug 1312391]
Affects: epel-all [bug 1312394]
---
Created drupal6 tracking bugs for this issue:
Affects: fedora-all [bug 1312390]
Affects: epel-all [bug 1312392]
---
CVE assignments:
http://seclists.org/oss-sec/2016/q1/650
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat
Bugzilla
CVE-2016-3162 drupal6: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [epel-all]
bugzilla·2016-02-26·CVSS 8.1
CVE-2016-3162 [HIGH] CVE-2016-3162 drupal6: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [epel-all]
CVE-2016-3162 drupal6: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
Bugzilla
CVE-2016-3162 drupal6: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [fedora-all]
bugzilla·2016-02-26·CVSS 8.1
CVE-2016-3162 [HIGH] CVE-2016-3162 drupal6: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [fedora-all]
CVE-2016-3162 drupal6: drupal: several issues fixed in 7.43 and 6.38 (SA-CORE-2016-001) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
http://www.debian.org/security/2016/dsa-3498http://www.openwall.com/lists/oss-security/2016/02/24/19http://www.openwall.com/lists/oss-security/2016/03/15/10https://www.drupal.org/SA-CORE-2016-001http://www.debian.org/security/2016/dsa-3498http://www.openwall.com/lists/oss-security/2016/02/24/19http://www.openwall.com/lists/oss-security/2016/03/15/10https://www.drupal.org/SA-CORE-2016-001
2016-04-12
Published