CVE-2017-6377

7.5HIGH

Key Information

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 16 March 2017

Summary

When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.

Affected Version(s)

Drupal Core = 8.2.x versions before 8.2.7

Refferences

http://www.securitytracker.com/id/1038058

vdb-entryx_refsource_SECTRACK

https://www.drupal.org/SA-2017-001

x_refsource_CONFIRM

http://www.securityfocus.com/bid/96919

vdb-entryx_refsource_BID

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 16, 2017
Vulnerability Reserved
Feb 28, 2017

Collectors

NVD DatabaseMitre Database