CVE-2011-2687

Severity

75%

Complexity

99%

Confidentiality

106%

Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.

Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Overview

Type

Drupal

First reported 13 years ago

2011-07-27 02:55:00

Last updated 9 years ago

2015-09-03 14:21:00

Affected Software

Drupal 7.0

7.0

Drupal 7.0 alpha1

7.0

Drupal 7.0 alpha2

7.0

Drupal 7.0 alpha3

7.0

Drupal 7.0 alpha4

7.0

Drupal 7.0 alpha5

7.0

Drupal 7.0 alpha6

7.0

Drupal 7.0 alpha7

7.0

Drupal 7.0 Beta 1

7.0

Drupal 7.0 Beta 2

7.0

Drupal 7.0 Beta 3

7.0

Drupal 7.0 dev

7.0

Drupal 7.0 Release Candidate 1

7.0

Drupal 7.0 Release Candidate 2

7.0

Drupal 7.0 Release Candidate 3

7.0

Drupal 7.0 Release Candidate 4

7.0

Drupal 7.1

7.1

Drupal 7.2

7.2

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633385

http://drupal.org/node/1204582

Patch, Vendor Advisory

FEDORA-2011-8879

FEDORA-2011-8878

45081

Vendor Advisory

45291

Vendor Advisory

[oss-security] 20110711 CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002)

[oss-security] 20110712 Re: CVE Request -- Drupal 7 -- Access bypass in node listings (SA-CORE-2011-002)

48505

https://bugzilla.redhat.com/show_bug.cgi?id=717874

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.