Arbitrary PHP code execution in Drupal Drupal
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2012-4553 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Drupal Web applications / CMS |
| Vendor | Drupal |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Arbitrary PHP code execution
EUVDB-ID: #VU467
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-4553
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to cause arbitrary code execution on the original server.
The weakness is caused by identification of bug in the installer code. By using external database attacker can reinstall Drupal and cause arbitrary PHP code execution.
Successful exploitation of the vulnerability allows a malicious user to trigger arbitary code execution on the vunerable server.
Update 7.x to 7.16.
https://www.drupal.org/node/1815904
Drupal: 7.1 - 7.15
CPE2.3 External linkshttp://www.drupal.org/SA-CORE-2012-003
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
