Description

The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.

Remediation

References

CVE-2016-7572

Related Vulnerabilities

MySQL CVE-2023-22092 Vulnerability (CVE-2023-22092)

WordPress Plugin Simple Job Board Directory Traversal (2.9.3)

WordPress Plugin Catch Themes Demo Import Arbitrary File Upload (1.7)

Piwigo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2014-9115)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-0792)

Severity

Medium

Classification

CVE-2016-7572 CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities