CVE-2010-3092
Drupal 5.x < 5.23 and 6.x < 6.18 - Authenticated File Download Restriction Bypass via Case-Insensitive Filename Handling
Title source: llmDescription
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.
References (5)
Core 5
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2010/dsa-2113
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=128440896914512&w=2
Patch, Vendor Advisory x_refsource_confirm
http://drupal.org/node/880476
Mailing List mailing-list
x_refsource_mlist
http://marc.info/?l=oss-security&m=128418560705305&w=2
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/42391
Scores
EPSS
0.0017
EPSS Percentile
38.3%
Details
CWE
CWE-264
Status
published
Products (36)
drupal/drupal
5.0 (6 CPE variants)
drupal/drupal
5.1
drupal/drupal
5.2
drupal/drupal
5.3
drupal/drupal
5.4
drupal/drupal
5.5
drupal/drupal
5.6
drupal/drupal
5.7
drupal/drupal
5.8
drupal/drupal
5.9
... and 26 more
Published
Sep 21, 2010
Tracked Since
Feb 18, 2026