Path Traversal in Avatar_uploader_project Avatar_uploader

CVE-2014-9155

Directory traversal vulnerability in the Avatar Uploader module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta6 for Drupal allows remote authenticated users to read arbitrary files via a .. (dot dot) in the path of a cropped pictur…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.007 (72.1th percentile) — read the EPSS interpretation.

Affected products

Avatar_uploader_project Avatar_uploader — versions 6.x-1.0, 6.x-1.1, 7.x-1.0
N/a — versions n/a

Weakness classification (CWE)

CWE-22 — Path Traversal

References

cve@mitre.org (x_refsource_CONFIRM, Patch)
cve@mitre.org (x_refsource_CONFIRM, Patch)
cve@mitre.org (x_refsource_MISC, Vendor Advisory)