High severity7.5NVD Advisory· Published Mar 16, 2017· Updated May 13, 2026

CVE-2017-6377

Description

When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the editor will not correctly check access for the file being attached, resulting in an access bypass.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
drupal/corePackagist	>= 8.2.0, < 8.2.7	8.2.7
drupal/drupalPackagist	>= 8.2.0, < 8.2.7	8.2.7

Affected products

Drupal/Drupal Corev5
Range: 8.2.x versions before 8.2.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/96919nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-w7qx-vwr9-2j3rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-6377ghsaADVISORY
www.drupal.org/SA-2017-001nvdVendor AdvisoryWEB
www.securitytracker.com/id/1038058nvdWEB
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6377.yamlghsaWEB
github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6377.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000