Description

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

Remediation

References

CVE-2016-7570

Related Vulnerabilities

MySQL CVE-2016-0639 Vulnerability (CVE-2016-0639)

Cherokee NULL Pointer Dereference Vulnerability (CVE-2020-12845)

WordPress Plugin Events by Devllo Cross-Site Scripting (1.0.4.2)

MySQL CVE-2019-2911 Vulnerability (CVE-2019-2911)

WordPress Plugin YouTube Gallery-Best YouTube Video Gallery Cross-Site Scripting (3.2.1)

Severity

Medium

Classification

CVE-2016-7570 CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities