Primary

Context

Drupal File Download Missing Authorization Vulnerability Allowing Forceful Browsing

Vulnerability

A missing authorization vulnerability has been identified in the Drupal File Download module, specifically in versions prior to 1.9.0 and from 2.0.0 through 2.0.1. This vulnerability allows for forceful browsing by bypassing access controls, enabling users to access private files that should not be publicly available.

Impact

Exploitation of this vulnerability leads to unauthorized access to private files, allowing users to download files that should be restricted.

Remediation

Users are advised to upgrade to File Download version 2.0.1 or 8.x-1.9.

Added: Jul 21, 2025, 5:21 PM

Updated: Jul 21, 2025, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Drupal File Download Missing Authorization Vulnerability Allowing Forceful Browsing

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating