vulnerability

Drupal: CVE-2017-6924: Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:M/Au:N/C:P/I:P/A:N)	Jan 16, 2018	Jan 16, 2018	Aug 11, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:P/I:P/A:N)

Published

Jan 16, 2018

Added

Jan 16, 2018

Modified

Aug 11, 2025

Description

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

Solution

drupal-upgrade-8_3_7

References

CVE-2017-6924
https://attackerkb.com/topics/CVE-2017-6924
CWE-269
URL-https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today