#VU7963 Security restrictions bypass in Drupal - CVE-2017-6925
Published: August 16, 2017
Vulnerability identifier: #VU7963
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-6925
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Drupal
Drupal
Software vendor:
Drupal
Drupal
Description
The vulnerability allows a remote attacker to gain unauthorized access to entities.
The vulnerability exists due to a design error within entity access system. A remote unauthenticated attacker send a specially crafted request to the vulnerable website and view, create, update, or delete entities that do not have or not use UUIDs, and entities that have different access restrictions on different revisions of the same entity.
Successful exploitation of the vulnerability may allow an attacker to read, create, modify or delete arbitrary entities on vulnerable website.
The vulnerability exists due to a design error within entity access system. A remote unauthenticated attacker send a specially crafted request to the vulnerable website and view, create, update, or delete entities that do not have or not use UUIDs, and entities that have different access restrictions on different revisions of the same entity.
Successful exploitation of the vulnerability may allow an attacker to read, create, modify or delete arbitrary entities on vulnerable website.
Remediation
Update to version 8.3.7.