CVSS base score
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
What the vulnerability does
Information disclosure in the file URI processing of File (Field) Paths in Drupal File (Field) Paths 7.x prior to 7.1.3 on Drupal 7.x allows authenticated users to disclose other users’ private files via filename‑collision uploads. This can cause hook_node_insert() consumers (for example, email attachment modules) to receive the wrong file URI, bypassing normal access controls on private files.
Explanation of Vulnerability in Simple Terms
The File (Field) Paths module for Drupal exposes sensitive file path information to unauthenticated users. An attacker can discover the server's directory structure and file locations without logging in, potentially aiding reconnaissance for further attacks. Update to version 7.x-1.3 or later to restrict this information.
What an attacker can do
View the server's file paths and directory structure without authentication.
Potential impact on your site
Attackers can map your server's file structure, increasing risk of targeted attacks on known vulnerable paths.
Conditions required to exploit
Network access to the Drupal site; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
