CVE-2013-0246 Information

Description

The Image module in Drupal 7.x before 7.19 when a private file system is used does not properly restrict access to derivative images which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.

Reference

http://packetstormsecurity.com/files/119598/Drupal-Core-6.x-7.x-Cross-Site-Scripting-Access-Bypass.html http://seclists.org/fulldisclosure/2013/Jan/120 http://seclists.org/oss-sec/2013/q1/211 http://secunia.com/advisories/51717 https://drupal.org/SA-CORE-2013-001