CVE-2016-7570

MEDIUM

Drupal < 8.1.10 - Access Control

Title source: rule

Description

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

References (3)

[Third Party Advisory] http://www.securityfocus.com/bid/93101

[Third Party Advisory] http://www.securitytracker.com/id/1036886

[Vendor Advisory] https://www.drupal.org/SA-CORE-2016-004

Scores

CVSS v3 4.3

EPSS 0.0034

EPSS Percentile 56.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-264

Status published

Affected Products (50)

drupal/drupal

... and 35 more

Timeline

Published Oct 03, 2016

Tracked Since Feb 18, 2026