GHSA-6g9h-6v79-w4pc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6g9h-6v79-w4pc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6g9h-6v79-w4pc/GHSA-6g9h-6v79-w4pc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6g9h-6v79-w4pc
- Aliases
- Published
- 2022-05-17T03:47:58Z
- Modified
- 2024-04-23T22:59:05.069610Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Drupal Users without "Administer comments" can set comment visibility on nodes they can edit
- Details
-
Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.
- Database specific
{ "nvd_published_at": "2016-10-03T18:59:00Z", "cwe_ids": [ "CWE-269" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-04-23T22:37:18Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-7570
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-7570.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-7570.yaml
- https://github.com/drupal/core
- https://www.drupal.org/SA-CORE-2016-004
- http://www.securityfocus.com/bid/93101
- http://www.securitytracker.com/id/1036886
Affected packages
Packagist / drupal/drupal
Package
- Name
- drupal/drupal
- Purl
- pkg:composer/drupal/drupal
Packagist / drupal/core
Package
- Name
- drupal/core
- Purl
- pkg:composer/drupal/core