Description

Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.

Remediation

References

CVE-2017-6919

Related Vulnerabilities

PleskWin Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-0132)

WordPress Clickjacking Vulnerability (0.7 - 3.1.2)

MediaWiki Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-42044)

Jenkins Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2015-5318)

MyBB Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2022-45867)

Severity

High

Classification

CVE-2017-6919 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities