CVE-2017-6926 - Vulnerability Details - OpenCVE

In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00366.

Key SSVC decision points have not yet been added.

Vendors	Products
Drupal	Drupal

Configuration 1 [-]

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-2018	In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.
Github GHSA	GHSA-2p28-5mvp-2j2r	Drupal Comment reply form allows access to restricted content

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.drupal.org/sa-core-2018-001

History

No history.

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2018-03-01T22:00:00Z

Updated: 2024-09-17T01:06:48.443Z

Reserved: 2017-03-16T00:00:00

Link: CVE-2017-6926

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-03-01T23:29:00.233

Modified: 2024-11-21T03:30:49.547

Link: CVE-2017-6926

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Drupal Core", "vendor": "Drupal.org", "versions": [{"status": "affected", "version": "8.4.x versions before 8.4.5"}]}], "datePublic": "2018-02-21T00:00:00", "descriptions": [{"lang": "en", "value": "In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments."}], "problemTypes": [{"descriptions": [{"description": "Access bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-02T01:57:01", "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/sa-core-2018-001"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@drupal.org", "DATE_PUBLIC": "2018-02-21T00:00:00", "ID": "CVE-2017-6926", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Drupal Core", "version": {"version_data": [{"version_value": "8.4.x versions before 8.4.5"}]}}]}, "vendor_name": "Drupal.org"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Access bypass"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/sa-core-2018-001", "refsource": "CONFIRM", "url": "https://www.drupal.org/sa-core-2018-001"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:49:02.219Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/sa-core-2018-001"}]}]}, "cveMetadata": {"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "assignerShortName": "drupal", "cveId": "CVE-2017-6926", "datePublished": "2018-03-01T22:00:00Z", "dateReserved": "2017-03-16T00:00:00", "dateUpdated": "2024-09-17T01:06:48.443Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C4AF907-5109-48BA-B510-8BC32A82C632", "versionEndExcluding": "8.4.5", "versionStartIncluding": "8.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments."}, {"lang": "es", "value": "En las versiones 8.4.x de Drupal anteriores a la 8.4.5, los usuarios con permisos para publicar comentarios pueden ver contenido y comentarios a los que no tienen acceso y, adem\u00e1s, tambi\u00e9n pueden a\u00f1adir comentarios en estos contenidos. Esta vulnerabilidad se mitiga por el hecho de que el sistema de comentarios debe estar activado y el atacante debe tener permiso para publicar comentarios."}], "id": "CVE-2017-6926", "lastModified": "2024-11-21T03:30:49.547", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-01T23:29:00.233", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2018-001"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2018-001"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}