vulnerability

Drupal: CVE-2016-7570: Users without "Administer comments" can set comment visibility on nodes they can edit

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:P/I:N/A:N)	2016-10-03	2017-09-18	2025-04-14

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Published

2016-10-03

Added

2017-09-18

Modified

2025-04-14

Description

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

Solution

drupal-upgrade-8_1_10

References

CVE-2016-7570
https://attackerkb.com/topics/CVE-2016-7570
URL-http://www.securityfocus.com/bid/93101
URL-http://www.securitytracker.com/id/1036886
URL-https://www.drupal.org/SA-CORE-2016-004

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today