CVE-2017-6924

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-6924

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-6924.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2017-6924

Aliases

GHSA-p8g6-5mg7-9r5q

Published

2019-01-15T20:29:00Z

Modified

2025-01-08T04:44:14.261087Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

35c2f3ca5c935f3d8bde15932a712677c9bbd50f

Fixed

d86c3b65ee89ad7a2b4e53aafcff12a185aa749b

Affected versions

8.*

8.0.0

8.1.0-beta1

8.3.0

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6