CVE-2014-5020

Drupal 7.x < 7.29 - Authenticated Unauthorized File Access via File Module

Title source: llm
STIX 2.1

Description

The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field.

References (2)

Core 2
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2014/dsa-2983
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2014-003

Scores

EPSS 0.0011
EPSS Percentile 29.6%

Details

CWE
CWE-264
Status published
Products (30)
drupal/drupal 7.0 (16 CPE variants)
drupal/drupal 7.1
drupal/drupal 7.2
drupal/drupal 7.3
drupal/drupal 7.4
drupal/drupal 7.5
drupal/drupal 7.6
drupal/drupal 7.7
drupal/drupal 7.8
drupal/drupal 7.9
... and 20 more
Published Jul 22, 2014
Tracked Since Feb 18, 2026