CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
EPSS
Percentile
71.0%
Avatar Uploader module provides an alternative way to upload user pictures.
The module doesn’t sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal’s normal file upload protections to install malicious HTML or executable code to the server.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “upload avatar file”, and that the fix for SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations should prevent code execution in typical Apache configurations.
Drupal core is not affected. If you do not use the contributed Avatar Uploader module,
there is nothing you need to do.
Install the latest version:
Also see the Avatar Uploader project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/65409
www.drupal.org/project/avatar-uploader
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/1315712
www.drupal.org/user/2301194
www.drupal.org/user/616818
www.drupal.org/writing-secure-code