CVE-2016-7570
MEDIUM4.3EPSS 0.34%Drupal Users without "Administer comments" can set comment visibility on nodes they can edit
發布日:2022/5/17修改日:2024/4/23
描述
Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.
受影響套件(2)
- Packagist/drupal/core>= 8.0.0, < 8.1.10
- Packagist/drupal/drupal>= 8.0.0, < 8.1.10
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-7570
- PATCHhttps://github.com/drupal/core
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2016-7570.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2016-7570.yaml
- WEBhttps://www.drupal.org/SA-CORE-2016-004
- WEBhttp://www.securityfocus.com/bid/93101
- WEBhttp://www.securitytracker.com/id/1036886