CVE 2012-1591
The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles.
See the
CVE page on Mitre.org
for more details.