CVE-2017-6925 – drupal/core

Package

Manager: composer
Name: drupal/core
Vulnerable Version: >=8.0 <8.3.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00657 pctl0.70144

Details

Drupal Entity access bypass for entities that do not have UUIDs or have protected revisions In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.

Metadata

Created: 2022-05-13T01:46:48Z
Modified: 2024-04-23T22:33:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f4qx-jqfq-7785/GHSA-f4qx-jqfq-7785.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-f4qx-jqfq-7785
Finding: F159
Auto approve: 1