CVE-2017-6924Improper Privilege Management in Drupal Core

CWE-269Improper Privilege Management6 documents5 sources
Severity
7.4HIGHNVD
EPSS
0.5%
top 35.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal CoreDrupalDrupal Core
Timeline
PublishedJan 15
Latest updateMay 13

Description

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages4 packages

Packagistdrupal/core8.08.3.7
NVDdrupal/drupal8.0.08.3.7
Packagistdrupal/drupal8.08.3.7
CVEListV5drupal/drupal_coreDrupal 88.3.7

🔴Vulnerability Details

3
GHSA
Drupal REST API can bypass comment approval2022-05-13
OSV
Drupal REST API can bypass comment approval2022-05-13
CVEList
REST API can bypass comment approval - Access Bypass - Moderately Critical2019-01-15

💬Community

2
Bugzilla
CVE-2017-6923 CVE-2017-6924 CVE-2017-6925 drupal8: Multiple Vulnerabilities - SA-CORE-2017-004 [fedora-all]2017-08-22
Bugzilla
CVE-2017-6923 CVE-2017-6924 CVE-2017-6925 drupal8: Multiple Vulnerabilities - SA-CORE-2017-0042017-08-22
CVE-2017-6924 — Improper Privilege Management in Drupal | cvebase