Vulnerability Details : CVE-2009-3781
The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors.
Exploit prediction scoring system (EPSS) score for CVE-2009-3781
Probability of exploitation activity in the next 30 days: 1.33%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-3781
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2009-3781
-
Assigned by: nvd@nist.gov (Primary)
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-3781
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/53897
FileField module for Drupal node-access security bypass CVE-2009-3781 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://drupal.org/files/issues/filefield-node-access-fix-516104-3.patch
Patch
-
http://drupal.org/node/611128
SA-CONTRIB-2009-082 - Filefield module access bypass | Drupal.orgPatch;Third Party Advisory
-
http://secunia.com/advisories/37130
About Secunia Research | FlexeraBroken Link;Third Party Advisory
-
http://drupal.org/node/516104
Access to this page has been denied.Issue Tracking;Patch;Third Party Advisory
-
http://drupal.org/node/609874
filefield 6.x-3.2 | Drupal.orgRelease Notes
-
http://www.securityfocus.com/bid/36792
Broken Link;Patch;Third Party Advisory;VDB Entry
Products affected by CVE-2009-3781
- cpe:2.3:a:quicksketch:filefield:6.x-3.1:*:*:*:*:drupal:*:*