Exposure of Resource to Wrong Sphere
CVE-2020-13670
Summary
In Drupal 8.0.x prior to 8.8.10, 8.9.x prior to 8.9.6, and 9.0.x prior to 9.0.6, a vulnerability exists in the File module which allows an attacker to gain access to the file metadata of a permanent private file that they do not have access to by guessing the ID of the file.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-668 - Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Advisory Timeline
- Published