Arbitrary PHP code execution in Drupal Drupal
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2012-5653 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Drupal Web applications / CMS |
| Vendor | Drupal |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Arbitrary PHP code execution
EUVDB-ID: #VU465
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-5653
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to cause arbitrary code execution on the target system.
The weakness exists due to improper munging of uploaded files name. The vulnerability allows attacker with server permission to upload a specially named file that can bypass the filename munging and cause arbitrary code execution.
Successful exploitation of the weakness results in arbitrary code execution on the vulnerable system.
Update 6.x to 6.27.
https://www.drupal.org/drupal-6.27-release-notes
Update 7.x to 7.18.
https://www.drupal.org/drupal-7.18-release-notes
Drupal: 6.0 - 7.17
External linkshttp://www.drupal.org/SA-CORE-2012-004
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
