Main Vulnerability Database SB2013010303

SB2013010303 - Arbitrary PHP code execution in Drupal Drupal

Published: January 3, 2013 Updated: September 15, 2016

Security Bulletin ID SB2013010303

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Arbitrary PHP code execution (CVE-ID: CVE-2012-5653)

The vulnerability allows a remote user to cause arbitrary code execution on the target system.
The weakness exists due to improper munging of uploaded files name. The vulnerability allows attacker with server permission to upload a specially named file that can bypass the filename munging and cause arbitrary code execution.
Successful exploitation of the weakness results in arbitrary code execution on the vulnerable system.

Remediation

Install update from vendor's website.

References

https://www.drupal.org/SA-CORE-2012-004