CVE-2013-4502 | Vulnerability Database | Aqua Security

The FileField Sources module 6.x-1.x before 6.x-1.9 and 7.x-1.x before 7.x-1.9 for Drupal does not properly check file permissions, which allows remote authenticated users to read arbitrary files by attaching a file.

Affected Software

Name	Vendor	Start Version	End Version
Filefield_sources	Nathan_haug	7.x-1.2-beta1 (including)	7.x-1.2-beta1 (including)
Filefield_sources	Nathan_haug	7.x-1.3 (including)	7.x-1.3 (including)
Filefield_sources	Nathan_haug	7.x-1.4 (including)	7.x-1.4 (including)
Filefield_sources	Nathan_haug	7.x-1.5 (including)	7.x-1.5 (including)
Filefield_sources	Nathan_haug	7.x-1.6 (including)	7.x-1.6 (including)
Filefield_sources	Nathan_haug	7.x-1.7 (including)	7.x-1.7 (including)
Filefield_sources	Nathan_haug	7.x-1.8 (including)	7.x-1.8 (including)
Filefield_sources	Nathan_haug	7.x-1.x-dev (including)	7.x-1.x-dev (including)

References

http://seclists.org/oss-sec/2013/q4/210
https://drupal.org/node/2124217
https://drupal.org/node/2124219
https://drupal.org/node/2124241

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-4502
CWE	https://cwe.mitre.org/data/definitions/264.html