6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.
A vulnerability was identified that allows blocked users to appear in user search results, even when the search results are viewed by unprivileged users.
This vulnerability is mitigated by the fact that the default Drupal core user search results only display usernames (and disclosure of usernames is not considered a security vulnerability). However, since modules or themes may override the search results to display more information from each userβs profile, this could result in additional information about blocked users being disclosed on some sites.
A vulnerability was identified that allows information about uploaded files to be displayed in RSS feeds and search results to users that do not have the βview uploaded filesβ permission.
This issue affects Drupal 6 only.
Drupal coreβs file upload feature blocks the upload of many files that can be executed on the server by munging the filename. A malicious user could name a file in a manner that bypasses this munging of the filename in Drupalβs input validation.
This vulnerability is mitigated by several factors: The attacker would need the permission to upload a file to the server. Certain combinations of PHP and filesystems are not vulnerable to this issue, though we did not perform an exhaustive review of the supported PHP versions. Finally: the server would need to allow execution of files in the uploads directory. Drupal core has protected against this with a .htaccess file protection in place from SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations. Users of IIS should consider updating their web.config. Users of Nginx should confirm that only the index.php and other known good scripts are executable. Users of other webservers should review their configuration to ensure the goals are achieved in some other way.
Install the latest version:
Also see the Drupal core project page.
drupal.org/contact
drupal.org/drupal-6.27-release-notes
drupal.org/drupal-7.18-release-notes
drupal.org/node/1004778
drupal.org/node/1543392
drupal.org/node/65409
drupal.org/project/drupal
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/124982
drupal.org/user/148199
drupal.org/user/151544
drupal.org/user/181407
drupal.org/user/22211
drupal.org/user/302225
drupal.org/user/35821
drupal.org/user/36762
drupal.org/user/383424
drupal.org/user/400288
drupal.org/user/4166
drupal.org/user/426416
drupal.org/user/46549
drupal.org/user/49851
drupal.org/user/58170
drupal.org/user/91990
drupal.org/writing-secure-code