The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Drupal | Drupal | 7.0 (including) | 7.0 (including) |
| Drupal | Drupal | 7.0-alpha1 (including) | 7.0-alpha1 (including) |
| Drupal | Drupal | 7.0-alpha2 (including) | 7.0-alpha2 (including) |
| Drupal | Drupal | 7.0-alpha3 (including) | 7.0-alpha3 (including) |
| Drupal | Drupal | 7.0-alpha4 (including) | 7.0-alpha4 (including) |
| Drupal | Drupal | 7.0-alpha5 (including) | 7.0-alpha5 (including) |
| Drupal | Drupal | 7.0-alpha6 (including) | 7.0-alpha6 (including) |
| Drupal | Drupal | 7.0-alpha7 (including) | 7.0-alpha7 (including) |
| Drupal | Drupal | 7.0-beta1 (including) | 7.0-beta1 (including) |
| Drupal | Drupal | 7.0-beta2 (including) | 7.0-beta2 (including) |
| Drupal | Drupal | 7.0-beta3 (including) | 7.0-beta3 (including) |
| Drupal | Drupal | 7.0-dev (including) | 7.0-dev (including) |
| Drupal | Drupal | 7.0-rc1 (including) | 7.0-rc1 (including) |
| Drupal | Drupal | 7.0-rc2 (including) | 7.0-rc2 (including) |
| Drupal | Drupal | 7.0-rc3 (including) | 7.0-rc3 (including) |
| Drupal | Drupal | 7.0-rc4 (including) | 7.0-rc4 (including) |
| Drupal | Drupal | 7.1 (including) | 7.1 (including) |
| Drupal | Drupal | 7.2 (including) | 7.2 (including) |
| Drupal | Drupal | 7.3 (including) | 7.3 (including) |
| Drupal | Drupal | 7.4 (including) | 7.4 (including) |
| Drupal | Drupal | 7.5 (including) | 7.5 (including) |
| Drupal | Drupal | 7.6 (including) | 7.6 (including) |
| Drupal | Drupal | 7.7 (including) | 7.7 (including) |
| Drupal | Drupal | 7.8 (including) | 7.8 (including) |
| Drupal | Drupal | 7.9 (including) | 7.9 (including) |
| Drupal | Drupal | 7.10 (including) | 7.10 (including) |
| Drupal | Drupal | 7.11 (including) | 7.11 (including) |
| Drupal | Drupal | 7.12 (including) | 7.12 (including) |
| Drupal | Drupal | 7.13 (including) | 7.13 (including) |
| Drupal | Drupal | 7.14 (including) | 7.14 (including) |
| Drupal | Drupal | 7.15 (including) | 7.15 (including) |
| Drupal | Drupal | 7.16 (including) | 7.16 (including) |
| Drupal | Drupal | 7.17 (including) | 7.17 (including) |
| Drupal | Drupal | 7.18 (including) | 7.18 (including) |
| Drupal | Drupal | 7.19 (including) | 7.19 (including) |
| Drupal | Drupal | 7.20 (including) | 7.20 (including) |
| Drupal | Drupal | 7.21 (including) | 7.21 (including) |
| Drupal | Drupal | 7.22 (including) | 7.22 (including) |
| Drupal | Drupal | 7.23 (including) | 7.23 (including) |
| Drupal | Drupal | 7.24 (including) | 7.24 (including) |
| Drupal | Drupal | 7.25 (including) | 7.25 (including) |
| Drupal | Drupal | 7.26 (including) | 7.26 (including) |
| Drupal | Drupal | 7.27 (including) | 7.27 (including) |
| Drupal | Drupal | 7.28 (including) | 7.28 (including) |
| Drupal | Drupal | 7.x-dev (including) | 7.x-dev (including) |
| Drupal7 | Ubuntu | esm-infra-legacy/trusty | * |
| Drupal7 | Ubuntu | precise | * |
| Drupal7 | Ubuntu | trusty | * |
| Drupal7 | Ubuntu | trusty/esm | * |
| Drupal7 | Ubuntu | upstream | * |