Description

The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.

Remediation

References

CVE-2016-3162

Related Vulnerabilities

Joomla Permissions, Privileges, and Access Controls Vulnerability (CVE-2016-9837)

WordPress Plugin BuddyPress Multiple Vulnerabilities (5.1.2)

XWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-32071)

WordPress Plugin Stripe Payments Cross-Site Scripting (2.0.39)

WordPress Plugin WordPress+Microsoft Office 365/Azure AD-LOGIN Unspecified Vulnerability (11.6)

Severity

High

Classification

CVE-2016-3162 CWE-284 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Tags

Missing Update Known Vulnerabilities