Arbitrary Node Comment Visibility Manipulation in Drupal 8.x before 8.1.10

Arbitrary Node Comment Visibility Manipulation in Drupal 8.x before 8.1.10

CVE-2016-7570 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:N/A:N

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

Learn more about our User Device Pen Test.