Crafted URL allows downloading of BLOBs that are not visible to the user

by Matthew Wilkes — last modified Nov 10, 2012 01:02 PM

BLOBs stored on custom content types can be accessed through a non-standard URL, bypassing the declared permission check

Anonymous users can use a crafted URL to illegitimately download Files and Images. Thanks to Karl Johan Kleist who found that this had been incorrectly reported, and let the security team know.

Information for security researchers

CVE Identifier: CVE-2012-5501
Impact Subscore: 4.9
Exploitability Subscore: 10
Overall CVSS Score: 5
Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P/E:P/RL:O/RC:C)
CWE: CWE-306
Credit: Alessandro SauZheR