vulnerability

Drupal: CVE-2016-7572: Full config export can be downloaded without administrative permissions

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:P/I:N/A:N)	Oct 3, 2016	Sep 18, 2017	Apr 14, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Published

Oct 3, 2016

Added

Sep 18, 2017

Modified

Apr 14, 2025

Description

The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.

Solution

drupal-upgrade-8_1_10

References

CVE-2016-7572
https://attackerkb.com/topics/CVE-2016-7572
URL-http://www.securityfocus.com/bid/93101
URL-http://www.securitytracker.com/id/1036886
URL-https://www.drupal.org/SA-CORE-2016-004

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today