CVE-2016-7572

CWE-2644 documents4 sources
Severity
4.3MEDIUM
EPSS
0.3%
top 51.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Drupal CoreDrupal Drupal
Timeline
PublishedOct 3
Latest updateMay 17

Description

The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

Packagistdrupal/core8.08.1.10
Packagistdrupal/drupal8.08.1.10
NVDdrupal/drupal17 versions+16

🔴Vulnerability Details

3
GHSA
Drupal Unprivileged access to config export2022-05-17
OSV
Drupal Unprivileged access to config export2022-05-17
CVEList
CVE-2016-7572: The system2016-10-03
CVE-2016-7572 (MEDIUM CVSS 4.3) | The system.temporary route in Drupa | cvebase.io