Arbitrary code execution in Drupal Drupal
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Drupal Web applications / CMS |
| Vendor | Drupal |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Arbitrary code execution
EUVDB-ID: #VU556
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform arbitrary code execution on the target server.
The weakness is caused by Drupal installer. Use of visitors' credentials for database in case of lack of site's database inaccessibility leads to arbitary code execution.
Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Update to 5.3.
http://ftp.drupal.org/files/projects/drupal-5.3.tar.gz
Drupal: 5.0 - 5.2
CPE2.3 External linkshttp://www.drupal.org/node/184316
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
