CVE-2011-2726

An access bypass issue was found in Drupal 7.x before version 7.5. If a Drupal site has the ability to attach File upload fields to any entity type in the system or has the ability to point individual File upload fields to the private file directory in comments, and the parent node is denied access, non-privileged users can still download the file attached to the comment if they know or guess its direct URL.
Configurations

Configuration 1 (hide)

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:o:fedoraproject:fedora:14:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*

History

21 Nov 2024, 01:28

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2012/03/19/10 - Mailing List, Third Party Advisory () http://www.openwall.com/lists/oss-security/2012/03/19/10 - Mailing List, Third Party Advisory
References () http://www.openwall.com/lists/oss-security/2012/03/20/14 - Mailing List, Third Party Advisory () http://www.openwall.com/lists/oss-security/2012/03/20/14 - Mailing List, Third Party Advisory
References () https://access.redhat.com/security/cve/cve-2011-2726 - Broken Link () https://access.redhat.com/security/cve/cve-2011-2726 - Broken Link
References () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2726 - Issue Tracking, Third Party Advisory () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2726 - Issue Tracking, Third Party Advisory
References () https://security-tracker.debian.org/tracker/CVE-2011-2726 - Third Party Advisory () https://security-tracker.debian.org/tracker/CVE-2011-2726 - Third Party Advisory
References () https://www.drupal.org/node/1231510 - Vendor Advisory () https://www.drupal.org/node/1231510 - Vendor Advisory

Information

Published : 2019-11-15 17:15

Updated : 2024-11-21 01:28


NVD link : CVE-2011-2726

Mitre link : CVE-2011-2726

CVE.ORG link : CVE-2011-2726


JSON object : View

Products Affected

debian

  • debian_linux

drupal

  • drupal

redhat

  • enterprise_linux

fedoraproject

  • fedora
CWE
CWE-863

Incorrect Authorization