GHSA-2p28-5mvp-2j2r

Suggest an improvement
Source
https://github.com/advisories/GHSA-2p28-5mvp-2j2r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2p28-5mvp-2j2r/GHSA-2p28-5mvp-2j2r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2p28-5mvp-2j2r
Aliases
Published
2022-05-14T03:35:57Z
Modified
2024-04-23T22:59:05.447807Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Drupal Comment reply form allows access to restricted content
Details

In Drupal versions 8.4.x versions before 8.4.5 users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content. This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

References

Affected packages

Packagist / drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.4.0
Fixed
8.4.5

Affected versions

8.*

8.4.0
8.4.1
8.4.2
8.4.3
8.4.4

Packagist / drupal/core

Package

Name
drupal/core
Purl
pkg:composer/drupal/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0
Fixed
7.57

Packagist / drupal/drupal

Package

Name
drupal/drupal
Purl
pkg:composer/drupal/drupal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.4.0
Fixed
8.4.5

Affected versions

8.*

8.4.0
8.4.1
8.4.2
8.4.3
8.4.4

Packagist / drupal/drupal

Package

Name
drupal/drupal
Purl
pkg:composer/drupal/drupal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0
Fixed
7.57