vulnerability

Drupal: CVE-2016-7570: Users without "Administer comments" can set comment visibility on nodes they can edit

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:P/I:N/A:N)	Oct 3, 2016	Sep 18, 2017	Apr 14, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Published

Oct 3, 2016

Added

Sep 18, 2017

Modified

Apr 14, 2025

Description

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

Solution

drupal-upgrade-8_1_10

References

CVE-2016-7570
https://attackerkb.com/topics/CVE-2016-7570
http://www.securityfocus.com/bid/93101
http://www.securitytracker.com/id/1036886
https://www.drupal.org/SA-CORE-2016-004

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report