REST API can bypass comment approval - Access Bypass - Moderately Critical
CVE-2017-6924

7.4HIGH

Key Information:

Vendor
Drupal
Status
Drupal Core
Vendor
CVE Published:
15 January 2019

Summary

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

Affected Version(s)

Drupal Core Drupal 8 < 8.3.7

References

http://www.securityfocus.com/bid/100368
vdb-entryx_refsource_BID
https://www.drupal.org/forum/newsletters/security-advisor...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1039200
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.