CVE-2008-0577

Drupal Project Issue Tracking Module - Access Control

Title source: rule

Description

The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML.

References (3)

[Various Sources] http://drupal.org/node/216063

[Vendor Advisory] http://secunia.com/advisories/28731

[Third Party Advisory] http://www.vupen.com/english/advisories/2008/0376/references

Scores

EPSS 0.0028

EPSS Percentile 50.7%

Classification

CWE

CWE-264

Status draft

Affected Products (2)

drupal/project_issue_tracking_module

Timeline

Published Feb 05, 2008

Tracked Since Feb 18, 2026