VYPR
← All advisories
High severityNVD Advisory· Published Jul 27, 2011· Updated Apr 29, 2026

CVE-2011-2687

CVE-2011-2687

Description

Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
drupal/corePackagist
>= 7.0, < 7.37.3

Affected products

19
  • Drupal/Drupal18 versions
    cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*+ 17 more
    • cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha4:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha5:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha6:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha7:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:dev:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.2:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:composer/drupal/core
    Range: >= 7.0, < 7.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.