CVE-2014-9155
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
01/12/2014
Last modified:
12/04/2025
Description
Directory traversal vulnerability in the Avatar Uploader module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta6 for Drupal allows remote authenticated users to read arbitrary files via a .. (dot dot) in the path of a cropped picture in the uploader panel.
Impact
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:avatar_uploader_project:avatar_uploader:6.x-1.0:*:*:*:*:drupal:*:* | ||
| cpe:2.3:a:avatar_uploader_project:avatar_uploader:6.x-1.1:*:*:*:*:drupal:*:* | ||
| cpe:2.3:a:avatar_uploader_project:avatar_uploader:7.x-1.0:beta1:*:*:*:drupal:*:* | ||
| cpe:2.3:a:avatar_uploader_project:avatar_uploader:7.x-1.0:beta2:*:*:*:drupal:*:* | ||
| cpe:2.3:a:avatar_uploader_project:avatar_uploader:7.x-1.0:beta3:*:*:*:drupal:*:* | ||
| cpe:2.3:a:avatar_uploader_project:avatar_uploader:7.x-1.0:beta4:*:*:*:drupal:*:* | ||
| cpe:2.3:a:avatar_uploader_project:avatar_uploader:7.x-1.x-dev:*:*:*:*:drupal:*:* |
To consult the complete list of CPE names with products and versions, see this page