SB2012122004 - Fedora EPEL 6 update for drupal6, drupal7
Published: December 20, 2012 Updated: April 24, 2025
Security Bulletin ID
SB2012122004
Severity
Low
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Access bypass (CVE-ID: CVE-2012-5651)
The vulnerability allows a remote user to get access to valid user's search results.The weakness exists due to access control error and allows to see the blocked users in search results reguardless user's priveleges.
Successful exploitation of the vulnerability results in appearing of blocked users in search results.
2) Access bypass (CVE-ID: CVE-2012-5652)
The vulnerability allows a remote user to look the uploaded files over.The weakness exists due to access control error and results in showing of uploaded files in RSS feeds and search results. The vulnerability increases possibility to view the information by users not allowed to read it before.
Successful exploitation of the weakness allows malicious users to obtain uploaded files.
3) Arbitrary PHP code execution (CVE-ID: CVE-2012-5653)
The vulnerability allows a remote user to cause arbitrary code execution on the target system.The weakness exists due to improper munging of uploaded files name. The vulnerability allows attacker with server permission to upload a specially named file that can bypass the filename munging and cause arbitrary code execution.
Successful exploitation of the weakness results in arbitrary code execution on the vulnerable system.
Remediation
Install update from vendor's website.