File Path Exposure Vulnerability in Drupal by Drupal
CVE-2023-31250

6.5MEDIUM

Key Information:

Vendor: Drupal
Status: Core
Vendor: CVE Published:; 26 April 2023

Summary

This vulnerability arises from the inadequate sanitization of file paths within the file download functionality of Drupal. Exploitation of this flaw can allow users to access sensitive files that should remain private, posing a significant risk to user data and site integrity. It is crucial for Drupal administrators to review the release notes for their specific Drupal version and implement necessary configuration changes to secure their installations against this vulnerability.

Affected Version(s)

Core 7.0 < 7.96

Core 10.0 < 10.0.8

Core 9.5 < 9.5.8

References

https://www.drupal.org/sa-core-2023-005

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 26, 2023
Vulnerability Reserved
Apr 26, 2023