CVE-2016-3162

HIGH

Drupal 7.x < 7.43 and 8.x < 8.0.4 - Authenticated Improper Access Control in File Module

Title source: llm
STIX 2.1

Description

The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

References (4)

Core 4
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/02/24/19
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/03/15/10
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3498
Patch, Vendor Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2016-001

Scores

CVSS v3 8.1
EPSS 0.0029
EPSS Percentile 52.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-284
Status published
Products (35)
debian/debian_linux 7.0
debian/debian_linux 8.0
drupal/core 7.0 - 7.43Packagist
drupal/drupal 7.0 (16 CPE variants)
drupal/drupal 7.1
drupal/drupal 7.2
drupal/drupal 7.3
drupal/drupal 7.4
drupal/drupal 7.5
drupal/drupal 7.6
... and 25 more
Published Apr 12, 2016
Tracked Since Feb 18, 2026