CVE-2017-6924
Drupal REST API can bypass comment approval
7.4
HIGH
CVSS 3.1
EPSS 0.46%
Description
In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.
How to fix CVE-2017-6924
To remediate CVE-2017-6924, upgrade the affected package to a fixed version below.
- —upgrade to 8.3.7 or later
- —upgrade to 8.3.7 or later
Is CVE-2017-6924 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 8.0, < 8.3.7
- >= 8.0, < 8.3.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.4 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |