Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-P8G6-5MG7-9R5Q
HistoryMay 13, 2022 - 1:36 a.m.

Drupal REST API can bypass comment approval

2022-05-1301:36:23
CWE-269
GitHub Advisory Database
github.com
1

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

AI Score

Confidence

Low

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.01 Low

EPSS

Percentile

83.1%

JSON

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

CPENameOperatorVersion
drupal/drupallt8.3.7
drupal/corelt8.3.7

Related

prion 1
osv 2
veracode 1
friendsofphp 2
cve 1
cvelist 1
nessus 5
openvas 5
freebsd 1
fedora 3
threatpost 1
ibm 2
prion
prion
Code injection
2019-01-15 20:29:00
osv
osv
Drupal REST API can bypass comment approval
2022-05-13 01:36:23
CVE-2017-6924
2019-01-15 20:29:00
veracode
veracode
Access Bypass
2017-10-26 03:35:17
friendsofphp
friendsofphp
REST API can bypass comment approval.
2017-08-16 17:10:35
REST API can bypass comment approval.
2017-08-16 17:10:35
cve
cve
CVE-2017-6924
2019-01-15 20:29:00
cvelist
cvelist
REST API can bypass comment approval - Access Bypass - Moderately Critical
2019-01-15 20:00:00
nessus
nessus
Fedora 25 : drupal8 (2017-902970c18f)
2017-09-11 00:00:00
Drupal 8.x < 8.3.7 Multiple Vulnerabilities
2018-11-05 00:00:00
Fedora 26 : drupal8 (2017-0fbd57c134)
2017-09-11 00:00:00
openvas
openvas
Drupal Core Multiple Vulnerabilities (SA-CORE-2017-004) - Linux
2017-08-17 00:00:00
Fedora Update for drupal8 FEDORA-2017-0fbd57c134
2017-09-09 00:00:00
Fedora Update for drupal8 FEDORA-2017-902970c18f
2017-09-09 00:00:00
freebsd
freebsd
drupal -- Drupal Core - Multiple Vulnerabilities
2017-08-16 00:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: drupal8-8.3.7-1.fc26
2017-09-08 16:22:14
[SECURITY] Fedora 25 Update: drupal8-8.3.7-1.fc25
2017-09-08 21:21:26
[SECURITY] Fedora 26 Update: drupal8-8.3.9-1.fc26
2018-04-24 03:28:25
threatpost
threatpost
Drupal Patches Critical Access Bypass Bug
2017-08-17 15:50:33
ibm
ibm
Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities
2018-06-15 07:08:13
Security Bulletin: API Connect Portal is affected by multiple Drupal vulnerabilities
2018-06-15 07:08:05

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

AI Score

Confidence

Low

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.01 Low

EPSS

Percentile

83.1%

JSON
Related for GHSA-P8G6-5MG7-9R5Q
prion1osv2veracode1friendsofphp2cve1cvelist1nessus5openvas5freebsd1fedora3threatpost1ibm2