Arbitrary code execution in Drupal Drupal
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-284 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Drupal Web applications / CMS |
| Vendor | Drupal |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Arbitrary code execution
EUVDB-ID: #VU560
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows authenticated user to cause arbitary code execution on the target system.
The weakness exists due to validation errors. Attackers can get "post comments" permission and access to more than one input filter that allows them to execute arbitrary code.
Successful exploiatation of the vulnerability leads to arbitrary code execution on the vulnerable system.
Update 4.7.x to 4.7.6.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.6.tar.gz
Update 5.x to 5.1.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-5.1.tar.gz
Drupal: 4.7.0 - 5.0
CPE2.3 External linkshttp://www.drupal.org/node/113935
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
