CVE-2013-0206

Unrestricted file upload vulnerability in the Live CSS module 6.x-2.x before 6.x-2.1 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "administer CSS" permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

🔗 References (12)

• secalert@redhathttp://drupal.org/node/1883976
• secalert@redhathttp://drupal.org/node/1883978
• secalert@redhathttp://drupalcode.org/project/live_css.git/commitdiff/cb7005f
• secalert@redhathttp://drupalcode.org/project/live_css.git/commitdiff/ef323c8
• secalert@redhathttp://www.openwall.com/lists/oss-security/2013/01/21/5
• secalert@redhathttps://drupal.org/node/1890318
• af854a3a-2127-422b-91ae-364da2661108http://drupal.org/node/1883976
• af854a3a-2127-422b-91ae-364da2661108http://drupal.org/node/1883978
• af854a3a-2127-422b-91ae-364da2661108http://drupalcode.org/project/live_css.git/commitdiff/cb7005f
• af854a3a-2127-422b-91ae-364da2661108http://drupalcode.org/project/live_css.git/commitdiff/ef323c8
• af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2013/01/21/5
• af854a3a-2127-422b-91ae-364da2661108https://drupal.org/node/1890318