Your submission was sent successfully! Close

CVE-2016-7572

Published: 3 October 2016

The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.

Priority

Medium

CVSS 3 base score: 4.3

Status

Package Release Status
drupal6
Launchpad, Ubuntu, Debian
artful Does not exist

precise Does not exist
(precise was needed)
trusty Does not exist

upstream Needs triage

xenial Does not exist

yakkety Does not exist

zesty Does not exist

drupal7
Launchpad, Ubuntu, Debian
artful Not vulnerable

precise Does not exist
(precise was needed)
trusty Does not exist
(trusty was not-affected)
upstream Needs triage

xenial Not vulnerable

yakkety Ignored
(reached end-of-life)
zesty Not vulnerable