CVE-2023-31250

MEDIUM

Drupal 7.0-7.95 and 10.0.0-10.0.7 - Incorrect Authorization in File Download Facility

Title source: llm

Description

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

References (1)

Core 1

Core References

Vendor Advisory

https://www.drupal.org/sa-core-2023-005

Scores

CVSS v3 6.5

EPSS 0.0037

EPSS Percentile 59.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

drupal/core 10.0.0 - 10.0.8Packagist

drupal/drupal 7.0 - 7.96

Published Apr 26, 2023

Tracked Since Feb 18, 2026