Description

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

Remediation

References

CVE-2016-7570

Related Vulnerabilities

WordPress Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-16218)

MySQL CVE-2021-35608 Vulnerability (CVE-2021-35608)

Atlassian Jira Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-4022)

Contao Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2019-19745)

WordPress Plugin BAVOKO SEO Tools-All-in-One WordPress SEO Security Bypass (2.1.9.7)

Severity

Medium

Classification

CVE-2016-7570 CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities