CVE-2017-6926 - OpenCVE

In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Drupal	Drupal

Configuration 1 [-]

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.drupal.org/sa-core-2018-001

History

No history.

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2018-03-01T22:00:00Z

Updated: 2024-09-17T01:06:48.443Z

Reserved: 2017-03-16T00:00:00

Link: CVE-2017-6926

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-03-01T23:29:00.233

Modified: 2018-03-22T17:20:32.123

Link: CVE-2017-6926

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Drupal Core", "vendor": "Drupal.org", "versions": [{"status": "affected", "version": "8.4.x versions before 8.4.5"}]}], "datePublic": "2018-02-21T00:00:00", "descriptions": [{"lang": "en", "value": "In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments."}], "problemTypes": [{"descriptions": [{"description": "Access bypass", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-02T01:57:01", "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.drupal.org/sa-core-2018-001"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@drupal.org", "DATE_PUBLIC": "2018-02-21T00:00:00", "ID": "CVE-2017-6926", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Drupal Core", "version": {"version_data": [{"version_value": "8.4.x versions before 8.4.5"}]}}]}, "vendor_name": "Drupal.org"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Access bypass"}]}]}, "references": {"reference_data": [{"name": "https://www.drupal.org/sa-core-2018-001", "refsource": "CONFIRM", "url": "https://www.drupal.org/sa-core-2018-001"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:49:02.219Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.drupal.org/sa-core-2018-001"}]}]}, "cveMetadata": {"assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "assignerShortName": "drupal", "cveId": "CVE-2017-6926", "datePublished": "2018-03-01T22:00:00Z", "dateReserved": "2017-03-16T00:00:00", "dateUpdated": "2024-09-17T01:06:48.443Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C4AF907-5109-48BA-B510-8BC32A82C632", "versionEndExcluding": "8.4.5", "versionStartIncluding": "8.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments."}, {"lang": "es", "value": "En las versiones 8.4.x de Drupal anteriores a la 8.4.5, los usuarios con permisos para publicar comentarios pueden ver contenido y comentarios a los que no tienen acceso y, adem\u00e1s, tambi\u00e9n pueden a\u00f1adir comentarios en estos contenidos. Esta vulnerabilidad se mitiga por el hecho de que el sistema de comentarios debe estar activado y el atacante debe tener permiso para publicar comentarios."}], "id": "CVE-2017-6926", "lastModified": "2018-03-22T17:20:32.123", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-01T23:29:00.233", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-core-2018-001"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}