Vulnerability identifier: #VU7963

Vulnerability risk: Medium

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-6925

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerability allows a remote attacker to gain unauthorized access to entities.

The vulnerability exists due to a design error within entity access system. A remote unauthenticated attacker send a specially crafted request to the vulnerable website and view, create, update, or delete entities that do not have or not use UUIDs, and entities that have different access restrictions on different revisions of the same entity.

Successful exploitation of the vulnerability may allow an attacker to read, create,  modify or delete arbitrary entities on vulnerable website.

Mitigation
Update to version 8.3.7.

Vulnerable software versions

Drupal: 8.3.0 - 8.3.6

---

External links
http://www.drupal.org/SA-CORE-2017-004

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.