#VU539 Arbitrary file uploads via BlogAPI in Drupal
Published: September 19, 2016 / Updated: February 17, 2017
Vulnerability identifier: #VU539
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Drupal
Drupal
Software vendor:
Drupal
Drupal
Description
The vulnerability allows a remote user to download harmful files to compromise the target system.
The weaness is caused by improper validation of uploaded files extension by BlogAPI module that allows attackers to insert certain files or data.
Successful exploitation of the vulnerability may result in malicious files uploading and vulnerable system compromising.
The weaness is caused by improper validation of uploaded files extension by BlogAPI module that allows attackers to insert certain files or data.
Successful exploitation of the vulnerability may result in malicious files uploading and vulnerable system compromising.
Remediation
Update 5.x to 5.10.
http://ftp.drupal.org/files/projects/drupal-5.10.tar.gz
Update 6.x to 6.4.
http://ftp.drupal.org/files/projects/drupal-6.4.tar.gz
http://ftp.drupal.org/files/projects/drupal-5.10.tar.gz
Update 6.x to 6.4.
http://ftp.drupal.org/files/projects/drupal-6.4.tar.gz