Description

When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.

Remediation

References

CVE-2017-6377

Related Vulnerabilities

Undertow Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') Vulnerability (CVE-2018-1067)

WordPress Plugin WP Mail Logging Multiple Unspecified Vulnerabilities (1.5.0)

WordPress Plugin Loco Translate Unspecified Vulnerability (2.5.4)

WordPress Plugin TAKETIN To WP Membership PHP Object Injection (1.2.7)

WordPress Plugin WP to Twitter Cross-Site Request Forgery (3.2.9)

Severity

High

Classification

CVE-2017-6377 CWE-863 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities