vulnerability

Drupal: CVE-2016-7570: Users without "Administer comments" can set comment visibility on nodes they can edit

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:P/I:N/A:N)	Oct 3, 2016	Sep 18, 2017	Apr 14, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Published

Oct 3, 2016

Added

Sep 18, 2017

Modified

Apr 14, 2025

Description

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

Solution

drupal-upgrade-8_1_10

References

CVE-2016-7570
https://attackerkb.com/topics/CVE-2016-7570
URL-http://www.securityfocus.com/bid/93101
URL-http://www.securitytracker.com/id/1036886
URL-https://www.drupal.org/SA-CORE-2016-004

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today