-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper access checks when attaching private files via the editor. The EditorController::upload method is the primary handler for editor file uploads in Drupal 8.2.x. In vulnerable versions, this method likely processed file uploads without verifying if the user had permission to access/attach private files, bypassing Drupal's normal file access controls. The CWE-863 (Incorrect Authorization) classification aligns with missing access checks in this critical file upload handler. The patched version 8.2.7 would have added proper access validation in this controller method.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 8.2.0, < 8.2.7 | 8.2.7 |
| drupal/drupal | composer | >= 8.2.0, < 8.2.7 | 8.2.7 |