Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-6924

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

Published

2019-01-15T20:29:00.237

Last Modified

2024-11-21T03:30:49.300

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 7.4 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

4.9

Weaknesses

Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	drupal	drupal	< 8.3.7	Yes

References

http://www.securityfocus.com/bid/100368 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1039200 Third Party Advisory, VDB Entry ([email protected])
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple Mitigation, Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/100368 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1039200 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)