CVE-2023-31250

EPSS 0.26%
Published 26.04.2023 19:15:09
Last modified 03.02.2025 17:15:14
Source mlhess@drupal.org
Teams watchlist Login
Open Login

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your Drupal version if you have issues accessing private files after updating.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Drupal ≫ Drupal Version >= 7.0 < 7.96

Drupal ≫ Drupal Version >= 9.4 < 9.4.14

Drupal ≫ Drupal Version >= 9.5 < 9.5.8

Drupal ≫ Drupal Version >= 10.0 < 10.0.8

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.26%	0.492

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.drupal.org/sa-core-2023-005

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-31250

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-31250

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-31250

EUVD