Description
In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100368
Mitigation, Vendor Advisory x_refsource_confirm
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039200
Scores
CVSS v3
9.8
EPSS
0.0062
EPSS Percentile
70.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (3)
drupal/core
8.0 - 8.3.7Packagist
drupal/drupal
8.0 - 8.3.7Packagist
drupal/drupal
8.0.0 - 8.3.7
Published
Jan 15, 2019
Tracked Since
Feb 18, 2026