Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-5653

Overview

Vulnerability Score 6.0 6.0
CVE Id CVE-2012-5653
Last Modified 08 Mar 2014 12:00:36
Published 02 Jan 2013 08:55:03
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2012-5653

Summary

The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.

Vulnerable Systems

Application

  • Drupal 6.0

  • Drupal 6.1

  • Drupal 6.10

  • Drupal 6.11

  • Drupal 6.12

  • Drupal 6.13

  • Drupal 6.14

  • Drupal 6.15

  • Drupal 6.16

  • Drupal 6.17

  • Drupal 6.18

  • Drupal 6.19

  • Drupal 6.2

  • Drupal 6.20

  • Drupal 6.21

  • Drupal 6.22

  • Drupal 6.23

  • Drupal 6.24

  • Drupal 6.25

  • Drupal 6.26

  • Drupal 6.3

  • Drupal 6.4

  • Drupal 6.5

  • Drupal 6.6

  • Drupal 6.7

  • Drupal 6.8

  • Drupal 6.9

  • Drupal 7.0

  • Drupal 7.1

  • Drupal 7.10

  • Drupal 7.11

  • Drupal 7.12

  • Drupal 7.13

  • Drupal 7.14

  • Drupal 7.15

  • Drupal 7.16

  • Drupal 7.17

  • Drupal 7.2

  • Drupal 7.3

  • Drupal 7.4

  • Drupal 7.5

  • Drupal 7.6

  • Drupal 7.7

  • Drupal 7.8

  • Drupal 7.9

  • Drupal 7.x-dev


References

XF - drupal-fileupload-code-execution(80795)

BID - 56993

MLIST - [oss-security] 20121219 Re: CVE request for Drupal core, and contributed modules

OSVDB - 88529

CONFIRM - http://drupalcode.org/project/drupal.git/commitdiff/da8023a

CONFIRM - http://drupalcode.org/project/drupal.git/commitdiff/b47f95d

CONFIRM - http://drupal.org/SA-CORE-2012-004

MANDRIVA - MDVSA-2013:074

DEBIAN - DSA-2776


Last Updated: 27 May 2016 11:01:33