CVE-2013-0246
Drupal < 7.19 - Unauthenticated Information Disclosure via Image Module
Title source: llmDescription
The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html
Mailing List mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2013/q1/211
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2013/Jan/120
Patch, Vendor Advisory x_refsource_confirm
https://drupal.org/SA-CORE-2013-001
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/51717
Scores
EPSS
0.0040
EPSS Percentile
61.1%
Details
CWE
CWE-264
Status
published
Products (20)
drupal/drupal
7.0 (16 CPE variants)
drupal/drupal
7.1
drupal/drupal
7.2
drupal/drupal
7.3
drupal/drupal
7.4
drupal/drupal
7.5
drupal/drupal
7.6
drupal/drupal
7.7
drupal/drupal
7.8
drupal/drupal
7.9
... and 10 more
Published
Jul 16, 2013
Tracked Since
Feb 18, 2026