Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the administer CSS permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Live_css | Guy_bedford | 6.x-2.0 (including) | 6.x-2.0 (including) |
| Live_css | Guy_bedford | 7.x-2.0 (including) | 7.x-2.0 (including) |
| Live_css | Guy_bedford | 7.x-2.0-beta1 (including) | 7.x-2.0-beta1 (including) |
| Live_css | Guy_bedford | 7.x-2.1 (including) | 7.x-2.1 (including) |
| Live_css | Guy_bedford | 7.x-2.2 (including) | 7.x-2.2 (including) |
| Live_css | Guy_bedford | 7.x-2.3 (including) | 7.x-2.3 (including) |
| Live_css | Guy_bedford | 7.x-2.4 (including) | 7.x-2.4 (including) |
| Live_css | Guy_bedford | 7.x-2.5 (including) | 7.x-2.5 (including) |
| Live_css | Guy_bedford | 7.x-2.6 (including) | 7.x-2.6 (including) |
| Live_css | Guy_bedford | 7.x-2.x-dev (including) | 7.x-2.x-dev (including) |