Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-6931

In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module.

Published

2018-03-01T23:29:00.497

Last Modified

2024-11-21T03:30:50.137

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 6.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-434

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	drupal	drupal	< 8.4.5	Yes

References

https://www.drupal.org/sa-core-2018-001 Mitigation, Vendor Advisory ([email protected])
https://www.drupal.org/sa-core-2018-001 Mitigation, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)