CVE-2017-6931

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-6931

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6931.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-6931

Aliases

GHSA-7ffh-cjvg-fpr4

Published

2018-03-01T23:29:00Z

Modified

2024-09-03T01:55:23.598781Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module.

References

https://www.drupal.org/sa-core-2018-001

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

abfe77673a5a6194ef13600e05f1ca2c5dd59db8

Fixed

3347ff569787d2e659a8c4b5211ea0c76894aa8a

Affected versions

8.*

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4