CVE-2008-1729
Drupal 6.0-6.1 - Unauthenticated Profile Editing and Information Disclosure via Menu System
Title source: llmDescription
The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types.
References (6)
Core 6
Core References
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/29762
Broken Link vdb-entry
x_refsource_osvdb
http://www.osvdb.org/44270
Patch, Vendor Advisory x_refsource_confirm
http://drupal.org/node/244637
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/41755
Patch, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/28714
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/1185/references
Scores
EPSS
0.0086
EPSS Percentile
75.3%
Details
Status
published
Products (1)
drupal/drupal
6.0 - 6.2
Published
Apr 11, 2008
Tracked Since
Feb 18, 2026