CVE-2016-7570

CWE-264CWE-269Improper Privilege Management4 documents4 sources
Severity
4.3MEDIUM
EPSS
0.3%
top 42.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Drupal CoreDrupal Drupal
Timeline
PublishedOct 3
Latest updateMay 17

Description

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

Packagistdrupal/core8.0.08.1.10
Packagistdrupal/drupal8.0.08.1.10
NVDdrupal/drupal17 versions+16

🔴Vulnerability Details

3
OSV
Drupal Users without "Administer comments" can set comment visibility on nodes they can edit2022-05-17
GHSA
Drupal Users without "Administer comments" can set comment visibility on nodes they can edit2022-05-17
CVEList
CVE-2016-7570: Drupal 82016-10-03
CVE-2016-7570 (MEDIUM CVSS 4.3) | Drupal 8.x before 8.1.10 does not p | cvebase.io