Drupal core provides the ability to have private files, including images. A vulnerability was identified in which derivative images (which Drupal automatically creates from these images based on “image styles” and which may differ, for example, in size or saturation) did not always receive the same protection. Under some circumstances, this would allow users to access image derivatives for images they should not be able to view.
Part of security release SA-CORE-2013-001
This vulnerability affects the following application versions:
- Drupal 7.0
- Drupal 7.1
- Drupal 7.2
- Drupal 7.3
- Drupal 7.4
- Drupal 7.5
- Drupal 7.6
- Drupal 7.7
- Drupal 7.8
- Drupal 7.9
- Drupal 7.10
- Drupal 7.11
- Drupal 7.12
- Drupal 7.13
- Drupal 7.14
- Drupal 7.15
- Drupal 7.16
- Drupal 7.17
- Drupal 7.18