SB2017082324 - Fedora 25 update for drupal8
Published: August 23, 2017 Updated: April 24, 2025
Security Bulletin ID
SB2017082324
Severity
Medium
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Security restrictions bypass (CVE-ID: CVE-2017-6923)
The vulnerability allows a remote attacker to gain unauthorized access to views.The vulnerability exists due to a design error within views subsystem/module, which does not restrict access to the Ajax endpoint to only views configured to use Ajax.A remote unauthenticated attacker can read or update the displayed data via filter parameters.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to views.
2) Security restrictions bypass (CVE-ID: CVE-2017-6924)
The vulnerability allows a remote attacker to gain unauthorized access to views.The vulnerability exists due to a design error within RESTful Web Services (rest) module. A remote unauthenticated attacker can use REST API functionality to publish comments without approval.
Successful exploitation of the vulnerability may allow an attacker to post unauthorized comments.
3) Security restrictions bypass (CVE-ID: CVE-2017-6925)
The vulnerability allows a remote attacker to gain unauthorized access to entities.The vulnerability exists due to a design error within entity access system. A remote unauthenticated attacker send a specially crafted request to the vulnerable website and view, create, update, or delete entities that do not have or not use UUIDs, and entities that have different access restrictions on different revisions of the same entity.
Successful exploitation of the vulnerability may allow an attacker to read, create, modify or delete arbitrary entities on vulnerable website.
Remediation
Install update from vendor's website.