2.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%
CVE: CVE-2012-1645
The CDN module provides easy Content Delivery Network integration for Drupal sites. It alters file URLs, so that files are downloaded from a CDN instead of your web server.
When running in Origin Pull mode together with the “Far Future expiration” option, the module contains a vulnerability that allows anyone to view the contents of any *.php file within the site, including settings.php.
This vulnerability is mitigated by the fact that the site owner must have enabled the “Far Future expiration” option, and must be using the latest version of the module.
Drupal core is not affected. If you do not use the contributed CDN module, there is nothing you need to do.
Install the latest version:
See also the CDN project page.