When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.
CPE | Name | Operator | Version |
---|---|---|---|
drupal/core | eq | 8.2.3 | |
drupal/drupal | eq | 8.2.3 | |
drupal/core | eq | 8.2.0 | |
drupal/core | eq | 8.2.4 | |
drupal/core | eq | 8.2.1 | |
drupal/drupal | eq | 8.2.0 | |
drupal/drupal | eq | 8.2.1 | |
drupal/drupal | eq | 8.2.2 | |
drupal/core | eq | 8.2.5 | |
drupal/core | eq | 8.2.2 |
www.securityfocus.com/bid/96919
www.securitytracker.com/id/1038058
github.com/drupal/drupal
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6377.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6377.yaml
nvd.nist.gov/vuln/detail/CVE-2017-6377
www.drupal.org/SA-2017-001