Search for vulnerabilities
Vulnerability details: VCID-sdxq-vbaw-5qd4
Vulnerability ID VCID-sdxq-vbaw-5qd4
Aliases GHSA-5x28-3f32-x523
Summary Drupal core Access control bypass The Media Library module has a security vulnerability whereby it doesn't sufficiently restrict access to media items in certain configurations. ### Solution: If you are using Drupal 8.7.x, you should upgrade to Drupal 8.7.11. If you are using Drupal 8.8.x, you should upgrade to Drupal 8.8.1. Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage. Alternatively, you may mitigate this vulnerability by unchecking the "Enable advanced UI" checkbox on `/admin/config/media/media-library`. (This mitigation is not available in 8.7.x.)
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-5x28-3f32-x523
cvssv3.1 4.3 https://github.com/drupal/drupal
generic_textual MODERATE https://github.com/drupal/drupal
cvssv3.1 4.3 https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-3.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-3.yaml
cvssv3.1 4.3 https://www.drupal.org/sa-core-2019-011
generic_textual MODERATE https://www.drupal.org/sa-core-2019-011
Reference id Reference type URL
https://github.com/drupal/drupal
https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-3.yaml
https://www.drupal.org/sa-core-2019-011
GHSA-5x28-3f32-x523 https://github.com/advisories/GHSA-5x28-3f32-x523
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/drupal/drupal
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-3.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Found at https://www.drupal.org/sa-core-2019-011
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2025-07-31T08:36:04.941192+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-5x28-3f32-x523/GHSA-5x28-3f32-x523.json 37.0.0