CVE-2013-0246

high

Description

The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.

References

https://drupal.org/SA-CORE-2013-001

http://secunia.com/advisories/51717

http://seclists.org/oss-sec/2013/q1/211

http://seclists.org/fulldisclosure/2013/Jan/120

http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html

Details

Source: Mitre, NVD

Published: 2013-07-16

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High