|Description||The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read, delete, or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|drupal7 (PTS)||jessie (security), jessie||7.32-1+deb8u12||fixed|
|stretch (security), stretch||7.52-2+deb9u4||fixed|
The information below is based on the following data on fixed versions.
- drupal6 <not-affected> (Only affects Drupal 7.x and Drupal 8.x)