CVE-2009-3781
CVE-2009-3781 is a high-severity vulnerability in Quicksketch Filefield with a CVSS 2.0 base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-862.
Key facts
- Severity: High (CVSS 2.0 base score 7.5)
- EPSS exploit prediction: 2% (80th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-862
- Affected product: Quicksketch Filefield
- Published:
- Last modified:
Description
The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors.
Frequently asked questions
- What is CVE-2009-3781?
- The filefield_file_download function in FileField 6.x-3.1, a module for Drupal, does not properly check node-access permissions for Drupal core private files, which allows remote attackers to access unauthorized files via unspecified vectors.
- How severe is CVE-2009-3781?
- CVE-2009-3781 has a CVSS 2.0 base score of 7.5, rated high severity.
- Is CVE-2009-3781 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (80th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2009-3781?
- CVE-2009-3781 affects Quicksketch Filefield. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2009-3781?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2009-3781 published?
- CVE-2009-3781 was published on 2009-10-26 and last updated on 2026-06-16.
References
- http://drupal.org/files/issues/filefield-node-access-fix-516104-3.patch
- http://drupal.org/node/516104
- http://drupal.org/node/609874
- http://drupal.org/node/611128
- http://secunia.com/advisories/37130
- http://www.securityfocus.com/bid/36792
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53897
Affected products (1)
- cpe:2.3:a:quicksketch:filefield:6.x-3.1:*:*:*:*:drupal:*:*
More vulnerabilities in Quicksketch Filefield
- CVE-2010-1958 — Low (CVSS 2.1): Cross-site scripting (XSS) vulnerability in the FileField module 5.x before 5.x-2.5 and 6.x before 6.x-3.4 for Drupal…
All CVEs affecting Quicksketch Filefield →
Other CWE-862 (Missing Authorization) vulnerabilities
- CVE-2026-0092 — Critical (CVSS 10.0): In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could…
- CVE-2026-33712 — Critical (CVSS 10.0): Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST…
- CVE-2026-2031 — Critical (CVSS 10.0): An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration…
- CVE-2026-34976 — Critical (CVSS 10.0): Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing…
- CVE-2025-30416 — Critical (CVSS 10.0): Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis…
- CVE-2025-45854 — Critical (CVSS 10.0): /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams.
Browse all CWE-862 (Missing Authorization) vulnerabilities →