漏洞类别:CGI
漏洞等级: 
漏洞信息
Drupal is a free and open-source content management framework written in PHP and distributed under the GNU General Public License. It is also used for knowledge management and business collaboration.
Drupal contains the following security vulnerabilities:
CVE-2017-6923: When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view.
CVE-2017-6924: When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments.
CVE-2017-6925: There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity..
Affected Versions:
Drupal core 8.x versions prior to 8.3.7
QID Detection Logic:
This QID depends on BlindElephant engine to detect the version of the Drupal installation as active attacks could potentially harm live installations.
漏洞危害
Depending on the vulnerability being exploited, an attacker could bypass security restrictions to post comments or view restricted content.
解决方案
Customers are advised to upgrade to Drupal 8.3.7 or later versions to remediate these vulnerabilities.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论