Description
e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the application depends only on a predictable identifier in the request to determine which comment to edit, without confirming the requesting user’s ownership of the comment. This vulnerability is fixed in 2.3.4.
Published: 2026-05-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A broken access control flaw in e107 allows an authenticated user who is not the comment owner to alter the content of comments posted by other users. The weakness is an integrity violation (CWE-284) that stems from the application trusting a predictable comment identifier supplied in the edit request without verifying that the requestor actually owns the comment (CWE-639). An attacker who can log in with any account can therefore deface or manipulate comments, potentially spreading misinformation, undermining content integrity, and eroding user trust.

Affected Systems

All installations of e107 CMS version 2.3.3 and earlier are affected, because the fix was implemented in version 2.3.4. The vendor is e107inc, product e107.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, and no EPSS data is available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that the user be authenticated; an attacker can trigger the flaw by sending a crafted HTTP request containing a comment identifier. The attack surface is relatively limited to the comment editing functionality, but the impact can be significant if malicious content is injected or legitimate comments are tampered with.

Generated by OpenCVE AI on May 26, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade e107 to version 2.3.4 or later where the access control validation on comment editing has been corrected.
  • If a patch cannot be applied immediately, restrict the comment edit feature to administrators only or temporarily disable it for non‑administrator users until the fix is in place.
  • Verify and harden the server‑side validation to ensure that each edit request checks the ownership of the comment before applying changes.

Generated by OpenCVE AI on May 26, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the application depends only on a predictable identifier in the request to determine which comment to edit, without confirming the requesting user’s ownership of the comment. This vulnerability is fixed in 2.3.4.
Title e107: Broken Access Control in e107 comment edit allows cross-user comment modification
Weaknesses CWE-284
CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-26T17:40:51.812Z

Reserved: 2026-05-04T16:59:09.089Z

Link: CVE-2026-43934

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T16:16:25.253

Modified: 2026-05-26T16:16:25.253

Link: CVE-2026-43934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T17:00:13Z

Weaknesses