Filebrowser - Moderately Critical - Risk of data exposure

Project

Filebrowser

Date

May 28, 2025

Severity

Moderately Critical

Risk Score

10 ∕ 25 AC:Basic/A:Admin/CI:Some/II:None/E:Theoretical/TD:All

Vulnerability

Risk of data exposure

Affected versions

All Drupal 7 versions are affected

Description

The Filebrowser module allows users to browse a list of files in specific directories.

Users with permission to create nodes of type dir_listing are able to expose any directory on the server including system and/or critical files.

This module and its directory listing node type should only be used by users with elevated user access. If restricted access to the directory listing node type cannot be achieved, then the module should be uninstalled and removed from the site.

Reported by

Joop Sint Jago (clivesj)
Michael Leahy (leahymr)

Fixed by

Joop Sint Jago (clivesj)
David Rothstein (David_Rothstein)
Vijay Mani (vijaycs85)
Drew Webber (mcdruid)

Coordinated by

Michael Hess (mlhess) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Damien McKenna (damienmckenna) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team
Tag1 D7ES