What is the severity of CVE-2017-6924?

CVE-2017-6924 has been classified as a moderate severity vulnerability.

How do I fix CVE-2017-6924?

The vulnerability can be fixed by upgrading to Drupal version 8.3.7 or later.

Which versions of Drupal are affected by CVE-2017-6924?

CVE-2017-6924 affects Drupal versions prior to 8.3.7.

What specific component is vulnerable in CVE-2017-6924?

The vulnerability specifically affects the REST API in Drupal when the RESTful Web Services module is enabled.

Can unauthorized users exploit CVE-2017-6924?

Yes, users without the correct permissions can post approved comments via the REST API due to this vulnerability.

Vulnerability/
CVE-2017-6924

high

7.4

CWE

269

16/8/2017

15/1/2019

23/4/2024

CVE-2017-6924

First published: Wed Aug 16 2017(Updated: )

In Drupal 8 prior to 8.3.7; When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments. This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.

Credit: mlhess@drupal.org mlhess@drupal.org

Affected Software	Affected Version	How to fix
composer/drupal/core	>=8.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.3.7
composer/drupal/drupal	>=8.0<8.1.0>=8.1.0<8.2.0>=8.2.0<8.3.0>=8.3.0<8.3.7
Drupal Drupal	>=8.0.0<8.3.7
composer/drupal/drupal	>=8.0<8.3.7	8.3.7
composer/drupal/core	>=8.0<8.3.7	8.3.7
	>=8.0.0<8.3.7

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2017-6924?
CVE-2017-6924 has been classified as a moderate severity vulnerability.
How do I fix CVE-2017-6924?
The vulnerability can be fixed by upgrading to Drupal version 8.3.7 or later.
Which versions of Drupal are affected by CVE-2017-6924?
CVE-2017-6924 affects Drupal versions prior to 8.3.7.
What specific component is vulnerable in CVE-2017-6924?
The vulnerability specifically affects the REST API in Drupal when the RESTful Web Services module is enabled.
Can unauthorized users exploit CVE-2017-6924?
Yes, users without the correct permissions can post approved comments via the REST API due to this vulnerability.

collector/friends-of-php
collector/nvd-index
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-p8g6-5mg7-9r5q
alias/CVE-2017-6924
agent/software-canonical-lookup
agent/weakness
agent/last-modified-date
agent/severity
agent/references
agent/description
agent/author
agent/softwarecombine
agent/event
collector/nvd-cve
source/NVD
collector/github-advisory
agent/trending
agent/tags
agent/source
package-manager/composer
vendor/drupal
canonical/drupal drupal
version/drupal drupal/8.0.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.