CVE-2016-7570
Vulnerability from cvelistv5
Published
2016-10-03 18:00
Modified
2024-08-06 02:04
Severity ?
EPSS score ?
Summary
Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/93101 | Third Party Advisory | |
| cve@mitre.org | http://www.securitytracker.com/id/1036886 | Third Party Advisory | |
| cve@mitre.org | https://www.drupal.org/SA-CORE-2016-004 | Vendor Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:04:55.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.drupal.org/SA-CORE-2016-004"
},
{
"name": "93101",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/93101"
},
{
"name": "1036886",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1036886"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Drupal 8.x before 8.1.10 does not properly check for \"Administer comments\" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-10-03T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.drupal.org/SA-CORE-2016-004"
},
{
"name": "93101",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/93101"
},
{
"name": "1036886",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1036886"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-7570",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Drupal 8.x before 8.1.10 does not properly check for \"Administer comments\" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.drupal.org/SA-CORE-2016-004",
"refsource": "CONFIRM",
"url": "https://www.drupal.org/SA-CORE-2016-004"
},
{
"name": "93101",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/93101"
},
{
"name": "1036886",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1036886"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-7570",
"datePublished": "2016-10-03T18:00:00",
"dateReserved": "2016-09-09T00:00:00",
"dateUpdated": "2024-08-06T02:04:55.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2016-7570\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2016-10-03T18:59:15.230\",\"lastModified\":\"2016-10-04T17:42:02.783\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Drupal 8.x before 8.1.10 does not properly check for \\\"Administer comments\\\" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.\"},{\"lang\":\"es\",\"value\":\"Drupal 8.x en versiones anteriores a 8.1.10 no valida adecuadamente el permiso para \\\"Administrar comentarios\\\", lo que permite a usuarios remotos autenticados configurar la visibilidad de los comentarios para nodos arbitrarios aprovechando los derechos para editar estos nodos.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C20DAD7-13A7-40F7-B6E0-965DB4E14508\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha10:*:*:*:*:*:*\",\"matchCriteriaId\":\"144694E6-3287-4F4D-A687-7F495133DBA2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha11:*:*:*:*:*:*\",\"matchCriteriaId\":\"581D686B-1061-4271-BEF4-17A429BD666A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha12:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3E45AA6-5FAF-4C63-91F5-0765CE60191A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha13:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE5D81CF-AE7B-4A9C-AD8F-9A19D2AC35DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha14:*:*:*:*:*:*\",\"matchCriteriaId\":\"A27535A5-7C4F-4548-A4B8-5FFBD58361D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha15:*:*:*:*:*:*\",\"matchCriteriaId\":\"17BC6508-3518-4BB5-B29F-4E6CB6DE9D44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha2:*:*:*:*:*:*\",\"matchCriteriaId\":\"8CBB5620-5847-443F-8356-B66EE93A3779\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3E81260D-E0D2-4FD2-AAED-99945404EB00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha4:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A7D34E6-76E0-4BCB-A4C8-9401C7331EF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha5:*:*:*:*:*:*\",\"matchCriteriaId\":\"201E2EA9-B811-4BB2-867A-6F12DC472911\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha6:*:*:*:*:*:*\",\"matchCriteriaId\":\"C957B189-10C2-4D42-B5B9-03F7DE287C8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha7:*:*:*:*:*:*\",\"matchCriteriaId\":\"A7E21838-CDEC-41B2-AE40-C78DE8984B6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha8:*:*:*:*:*:*\",\"matchCriteriaId\":\"639F0284-85D1-40B0-B337-77632E7A664B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:alpha9:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F4B611A-3628-41EA-878D-BF9D6C34AA83\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"856E46E5-1BF3-42F4-AFCB-81275B1EF265\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta10:*:*:*:*:*:*\",\"matchCriteriaId\":\"B351F769-598F-4E3E-99EA-94A5516995A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta11:*:*:*:*:*:*\",\"matchCriteriaId\":\"220900E6-5859-4CA9-831E-3FF3C128F060\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta12:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D55D51E-DE2D-469C-9F9C-F312A02EE921\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta13:*:*:*:*:*:*\",\"matchCriteriaId\":\"259B5FE7-2808-4F61-B98C-73ECC7F9503C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta14:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA263BE6-2088-4E18-914B-96CFAA0093E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta15:*:*:*:*:*:*\",\"matchCriteriaId\":\"906AED87-8C5C-4214-B5AD-43E5573E357A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta16:*:*:*:*:*:*\",\"matchCriteriaId\":\"E150FDA8-5271-465C-8DE0-F44E9FC81E90\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E036D4F-BD94-4F77-883C-165B3F0802C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A7068F8-810D-4720-9E0E-06DB1DD366ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"443183F6-9EF5-41AE-8AD0-B304BBF1670A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"58C5EF43-E24F-4BDB-9496-16DE4EEF3E67\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"B00B494B-736A-47A7-ACF3-81368C033086\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:beta9:*:*:*:*:*:*\",\"matchCriteriaId\":\"E275F22B-7A46-4107-BE6F-6C4D7EAA46FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"63530139-7EF2-4210-9870-B06175ECBC58\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED085089-51D6-4E5C-96E8-CC5C7C55CC97\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"36FC67CE-9C45-4842-81AF-EEAE557D70D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"5FE6AC83-B248-4491-A320-836C65E64D6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99D7F3C7-3EC6-48D2-A8D5-1F987FD74A20\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"434D4D80-44C0-4278-A09B-005A599F4658\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2CF1BC91-4A24-40FC-8EEC-E4FAD624C2CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"43067661-B562-41BC-B272-8A79075291B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA9EF375-AE7C-4900-A992-C635228889E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"53FA0C7F-000A-4CB4-86E3-DEC0C9DCA1BB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E39B2B71-C1B8-4A16-88FE-D691CC3C9BE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"535BC461-E9B1-4124-8125-1D9F91CF4F68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"06F63C7F-CE02-428D-90CD-05B726C0026D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F18278D5-A30B-4624-AC64-CA39F92EB8C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B3F72CAF-2BCA-454D-B8AC-951EC566A965\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0C7CB5D-CE55-4628-957D-3D2C5EE2353B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9E1FBB4-D63F-4AA0-ADE3-70527F4D84A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D2D1BF3-879B-44C5-B3A0-2E91B27BFF29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2BB7835-2BFD-4182-B112-7E8A9FF2449C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80CE2090-A5AF-47B8-BB7D-727FFF093413\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B28527E-92CB-4171-8EE3-9187C3F44EC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3CB85396-4D94-4752-A134-A1644C707777\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:drupal:drupal:8.1.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F6802D01-6220-4EBE-B267-10DC14E6D186\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/93101\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.securitytracker.com/id/1036886\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.drupal.org/SA-CORE-2016-004\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.