CVE-2017-6923

Опубликовано: 22 янв. 2019

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

Ссылки

http://www.securityfocus.com/bid/100368
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039200
Third Party Advisory
VDB Entry
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple
Patch
Release Notes
Vendor Advisory
http://www.securityfocus.com/bid/100368
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039200
Third Party Advisory
VDB Entry
https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple
Patch
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*

Версия от 8.0.0 (включая) до 8.3.7 (включая)

EPSS

Процентиль: 51%

0.00282

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-862

Связанные уязвимости

CVE-2017-6923

CVSS3: 6.5

debian

больше 6 лет назад

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally ...

GHSA-v3f6-f29f-rgvp

CVSS3: 6.5

github

больше 5 лет назад

Missing Authorization in Drupal

EPSS

Процентиль: 51%

0.00282

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-862