Description
Drupal 4.5.0 through 4.5.5 and 4.6.0 through 4.6.3, when running on PHP5, does not correctly enforce user privileges, which allows remote attackers to bypass the "access user profiles" permission.
References (8)
Core 8
Core References
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2005/2684
Patch x_refsource_misc
http://drupal.org/files/sa-2005-009/4.6.3.patch
Patch, Vendor Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2006/dsa-958
Patch vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/15674
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/18630
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/418336/100/0/threaded
Vendor Advisory x_refsource_confirm
http://drupal.org/files/sa-2005-009/advisory.txt
Patch, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/17824
Scores
EPSS
0.0055
EPSS Percentile
68.1%
Details
Status
published
Products (10)
drupal/drupal
4.5
drupal/drupal
4.5.1
drupal/drupal
4.5.2
drupal/drupal
4.5.3
drupal/drupal
4.5.4
drupal/drupal
4.5.5
drupal/drupal
4.6
drupal/drupal
4.6.1
drupal/drupal
4.6.2
drupal/drupal
4.6.3
Published
Dec 03, 2005
Tracked Since
Feb 18, 2026