CVE-2012-2922
Drupal < 7.14 - Unauthenticated Sensitive Information Exposure via q[] Parameter
Title source: llmDescription
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message.
References (9)
Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/75531
Exploit mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-05/0053.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/53454
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/81817
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:074
Exploit, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49131
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-05/0052.html
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-05/0055.html
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/08/02/8
Scores
EPSS
0.0050
EPSS Percentile
66.1%
Details
CWE
CWE-200
Status
published
Products (36)
drupal/drupal
5.0 (6 CPE variants)
drupal/drupal
5.1
drupal/drupal
5.2
drupal/drupal
5.3
drupal/drupal
5.4
drupal/drupal
5.5
drupal/drupal
5.6
drupal/drupal
5.7
drupal/drupal
5.8
drupal/drupal
5.9
... and 26 more
Published
May 21, 2012
Tracked Since
Feb 18, 2026