logo

Database

Sensitive information sent insecurely In drupal/core

Description

Exposure of Resource to Wrong Sphere in Drupal Core Information Disclosure vulnerability in file module of Drupal Core allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-136702. NVD-2020-136703. OSV-2020-136704. GCVE-2020-13670

References

1. https://github.com/drupal/core/commit/f93a37b713b59f8d24e826bc74378099853eef3d2. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2020-13670.yaml3. https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2020-13670.yaml4. https://www.drupal.org/sa-core-2020-011

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.