Description

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

Remediation

References

CVE-2016-7570

Related Vulnerabilities

Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2023-40035)

WordPress Plugin QIWI payment module for Woocommerce Cross-Site Scripting (0.0.9)

WordPress Plugin Registration Forms-User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Cross-Site Scripting (3.7.0.0)

WordPress Plugin All in One SEO-Best WordPress SEO-Easily Improve SEO Rankings & Increase Traffic Cross-Site Scripting (3.6.1)

Play Framework Improper Input Validation Vulnerability (CVE-2015-2156)

Severity

Medium

Classification

CVE-2016-7570 CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities