CVE-2017-6924
HIGHDrupal 8.0.0-8.3.6 - Improper Privilege Management via REST API Comment Approval
Title source: llmDescription
In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100368
Mitigation, Vendor Advisory x_refsource_confirm
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039200
Scores
CVSS v3
7.4
EPSS
0.0046
EPSS Percentile
64.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-269
Status
published
Products (3)
drupal/core
8.0 - 8.3.7Packagist
drupal/drupal
8.0 - 8.3.7Packagist
drupal/drupal
8.0.0 - 8.3.7
Published
Jan 15, 2019
Tracked Since
Feb 18, 2026