Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.
Credit:
The information has been provided by Quintus Maximus .
The original article can be found at: http://www.securitytracker.com/id/1036886
Vulnerable Systems:
* Drupal 8.0.0
* Drupal 8.0.1
* Drupal 8.0.2
* Drupal 8.0.3
* Drupal 8.0.4
* Drupal 8.0.5
* Drupal 8.0.6
* Drupal 8.1.0
* Drupal 8.1.1
* Drupal 8.1.2
* Drupal 8.1.3
* Drupal 8.1.4
* Drupal 8.1.5
* Drupal 8.1.6
* Drupal 8.1.7
* Drupal 8.1.8
* Drupal 8.1.9
A remote authenticated user without 'Administer comments' privileges can set comment visibility on nodes for which they have edit permissions
CVE Information:
CVE-2016-7570
Disclosure Timeline:
Publish Date : 2016-10-03
Last Update Date : 2016-10-04
