Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.
Max CVSS
7.5
EPSS Score
1.42%
Published
2011-07-27
Updated
2015-09-03
Drupal 7.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/simpletest/tests/upgrade/drupal-6.upload.database.php and certain other files.
Max CVSS
5.0
EPSS Score
0.29%
Published
2011-09-23
Updated
2012-03-13
2 vulnerabilities found