Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2017-6924

UNKNOWN
Published 2019-01-15T20:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2017-6924. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Drupal

Drupal Core

Affected Versions:

Drupal 8

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Drupal REST API can bypass comment approval

GHSA-p8g6-5mg7-9r5q

Advisory Details

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

Affected Packages

Packagist drupal/core
ECOSYSTEM: ≥8.0 <8.3.7
Packagist drupal/drupal
ECOSYSTEM: ≥8.0 <8.3.7

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-6924
WEB https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6924.yaml
WEB https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6924.yaml
PACKAGE https://github.com/drupal/core
WEB https://www.drupal.org/SA-CORE-2017-004
WEB https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple
WEB http://www.securityfocus.com/bid/100368
WEB http://www.securitytracker.com/id/1039200

Advisory provided by GitHub Security Advisory Database. Published: May 13, 2022, Modified: April 23, 2024

References

http://www.securityfocus.com/bid/100368
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple
http://www.securitytracker.com/id/1039200
Published: 2019-01-15T20:00:00Z
Last Modified: 2024-09-16T16:57:56.911Z
Copied to clipboard!