oss-sec mailing list archives
Re: CVE request: drupal before 7.5 access bypass
From: Moritz Muehlenhoff <jmm () debian org>
Date: Mon, 21 Nov 2011 18:55:56 +0100
On Sun, Nov 20, 2011 at 07:58:47PM -0700, Kurt Seifried wrote:
On 11/20/2011 04:14 AM, Hanno Böck wrote:http://drupal.org/node/1231510 If a Drupal site is using these features on comments, and the parent node is denied access (either by a node access module or by being unpublished), the file attached to the comment can still be downloaded by non-privileged users if they know or guess its direct URL.Please use CVE-2011-4323 for this issue.
This has already been assigned CVE-2011-2726, see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2726 for details ;-) Cheers, Moritz
Current thread:
- CVE request: drupal before 7.5 access bypass Hanno Böck (Nov 20)
- Re: CVE request: drupal before 7.5 access bypass Kurt Seifried (Nov 20)
- Re: CVE request: drupal before 7.5 access bypass Moritz Muehlenhoff (Nov 21)
- Re: CVE request: drupal before 7.5 access bypass Kurt Seifried (Nov 21)
- Re: CVE request: drupal before 7.5 access bypass Moritz Muehlenhoff (Nov 21)
- Re: CVE request: drupal before 7.5 access bypass Kurt Seifried (Nov 20)