CVE-2017-6923 — Missing Authorization in Drupal Core

CWE-862 — Missing Authorization6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.7%

top 27.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Drupal Core Drupal Core Drupal

Timeline

PublishedJan 22

Latest updateOct 10

Description

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Packagistdrupal/core8.0 — 8.3.7

▶Packagistdrupal/drupal8.0 — 8.3.7

▶CVEListV5drupal/drupal_core8.x — 8.3.7

▶NVDdrupal/drupal8.0.0 — 8.3.7

Patches

Patch: www.drupal.org ↗Patch: www.drupal.org ↗

🔴Vulnerability Details

OSV

Missing Authorization in Drupal↗2019-10-10

▶

GHSA

Missing Authorization in Drupal↗2019-10-10

▶

CVEList

Access bypass in Drupal 8 views↗2019-01-22

▶

💬Community

Bugzilla

CVE-2017-6923 CVE-2017-6924 CVE-2017-6925 drupal8: Multiple Vulnerabilities - SA-CORE-2017-004 [fedora-all]↗2017-08-22

▶

Bugzilla

CVE-2017-6923 CVE-2017-6924 CVE-2017-6925 drupal8: Multiple Vulnerabilities - SA-CORE-2017-004↗2017-08-22

▶