ID CVE-2017-6923
Summary In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.
References
Vulnerable Configurations
  • Drupal 8.0.0
    cpe:2.3:a:drupal:drupal:8.0.0
  • Drupal 8.0.0 Alpha 10
    cpe:2.3:a:drupal:drupal:8.0.0:alpha10
  • Drupal 8.0.0 Alpha 11
    cpe:2.3:a:drupal:drupal:8.0.0:alpha11
  • Drupal 8.0.0 Alpha 12
    cpe:2.3:a:drupal:drupal:8.0.0:alpha12
  • Drupal 8.0.0 Alpha 13
    cpe:2.3:a:drupal:drupal:8.0.0:alpha13
  • Drupal 8.0.0 Alpha 14
    cpe:2.3:a:drupal:drupal:8.0.0:alpha14
  • Drupal 8.0.0 Alpha 15
    cpe:2.3:a:drupal:drupal:8.0.0:alpha15
  • Drupal 8.0.0 Alpha 2
    cpe:2.3:a:drupal:drupal:8.0.0:alpha2
  • Drupal 8.0.0 Alpha 3
    cpe:2.3:a:drupal:drupal:8.0.0:alpha3
  • Drupal 8.0.0 Alpha 4
    cpe:2.3:a:drupal:drupal:8.0.0:alpha4
  • Drupal 8.0.0 Alpha 5
    cpe:2.3:a:drupal:drupal:8.0.0:alpha5
  • Drupal 8.0.0 Alpha 6
    cpe:2.3:a:drupal:drupal:8.0.0:alpha6
  • Drupal 8.0.0 Alpha 7
    cpe:2.3:a:drupal:drupal:8.0.0:alpha7
  • Drupal 8.0.0 Alpha 8
    cpe:2.3:a:drupal:drupal:8.0.0:alpha8
  • Drupal 8.0.0 Alpha 9
    cpe:2.3:a:drupal:drupal:8.0.0:alpha9
  • Drupal 8.0.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.0.0:beta1
  • Drupal 8.0.0 Beta 10
    cpe:2.3:a:drupal:drupal:8.0.0:beta10
  • Drupal 8.0.0 Beta 11
    cpe:2.3:a:drupal:drupal:8.0.0:beta11
  • Drupal 8.0.0 Beta 12
    cpe:2.3:a:drupal:drupal:8.0.0:beta12
  • Drupal 8.0.0 Beta 13
    cpe:2.3:a:drupal:drupal:8.0.0:beta13
  • Drupal 8.0.0 Beta 14
    cpe:2.3:a:drupal:drupal:8.0.0:beta14
  • Drupal 8.0.0 Beta 15
    cpe:2.3:a:drupal:drupal:8.0.0:beta15
  • Drupal 8.0.0 Beta 16
    cpe:2.3:a:drupal:drupal:8.0.0:beta16
  • Drupal 8.0.0 Beta 2
    cpe:2.3:a:drupal:drupal:8.0.0:beta2
  • Drupal 8.0.0 Beta 3
    cpe:2.3:a:drupal:drupal:8.0.0:beta3
  • Drupal 8.0.0 Beta 4
    cpe:2.3:a:drupal:drupal:8.0.0:beta4
  • Drupal 8.0.0 Beta 6
    cpe:2.3:a:drupal:drupal:8.0.0:beta6
  • Drupal 8.0.0 Beta 7
    cpe:2.3:a:drupal:drupal:8.0.0:beta7
  • Drupal 8.0.0 Beta 9
    cpe:2.3:a:drupal:drupal:8.0.0:beta9
  • Drupal 8.0.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.0.0:rc1
  • Drupal 8.0.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:8.0.0:rc2
  • Drupal 8.0.0 Release Candidate 3
    cpe:2.3:a:drupal:drupal:8.0.0:rc3
  • Drupal 8.0.0 Release Candidate 4
    cpe:2.3:a:drupal:drupal:8.0.0:rc4
  • Drupal 8.0.1
    cpe:2.3:a:drupal:drupal:8.0.1
  • Drupal 8.0.2
    cpe:2.3:a:drupal:drupal:8.0.2
  • Drupal 8.0.3
    cpe:2.3:a:drupal:drupal:8.0.3
  • Drupal 8.0.4
    cpe:2.3:a:drupal:drupal:8.0.4
  • Drupal 8.0.5
    cpe:2.3:a:drupal:drupal:8.0.5
  • Drupal 8.0.6
    cpe:2.3:a:drupal:drupal:8.0.6
  • Drupal 8.1.0
    cpe:2.3:a:drupal:drupal:8.1.0
  • Drupal 8.1.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.1.0:beta1
  • Drupal 8.1.0 Beta 2
    cpe:2.3:a:drupal:drupal:8.1.0:beta2
  • Drupal 8.1.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.1.0:rc1
  • Drupal 8.1.1
    cpe:2.3:a:drupal:drupal:8.1.1
  • Drupal 8.1.2
    cpe:2.3:a:drupal:drupal:8.1.2
  • Drupal 8.1.3
    cpe:2.3:a:drupal:drupal:8.1.3
  • Drupal 8.1.4
    cpe:2.3:a:drupal:drupal:8.1.4
  • Drupal 8.1.5
    cpe:2.3:a:drupal:drupal:8.1.5
  • Drupal 8.1.6
    cpe:2.3:a:drupal:drupal:8.1.6
  • Drupal 8.1.7
    cpe:2.3:a:drupal:drupal:8.1.7
  • Drupal 8.1.8
    cpe:2.3:a:drupal:drupal:8.1.8
  • Drupal 8.1.9
    cpe:2.3:a:drupal:drupal:8.1.9
  • Drupal 8.1.10
    cpe:2.3:a:drupal:drupal:8.1.10
  • Drupal 8.2.0
    cpe:2.3:a:drupal:drupal:8.2.0
  • Drupal 8.2.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.2.0:beta1
  • Drupal 8.2.0 Beta 2
    cpe:2.3:a:drupal:drupal:8.2.0:beta2
  • Drupal 8.2.0 Beta 3
    cpe:2.3:a:drupal:drupal:8.2.0:beta3
  • Drupal 8.2.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.2.0:rc1
  • Drupal 8.2.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:8.2.0:rc2
  • Drupal 8.2.1
    cpe:2.3:a:drupal:drupal:8.2.1
  • Drupal 8.2.2
    cpe:2.3:a:drupal:drupal:8.2.2
  • Drupal 8.2.3
    cpe:2.3:a:drupal:drupal:8.2.3
  • Drupal 8.2.4
    cpe:2.3:a:drupal:drupal:8.2.4
  • Drupal 8.2.5
    cpe:2.3:a:drupal:drupal:8.2.5
  • Drupal 8.2.6
    cpe:2.3:a:drupal:drupal:8.2.6
  • Drupal 8.2.7
    cpe:2.3:a:drupal:drupal:8.2.7
  • Drupal 8.2.8
    cpe:2.3:a:drupal:drupal:8.2.8
  • Drupal 8.3.0
    cpe:2.3:a:drupal:drupal:8.3.0
  • Drupal 8.3.0 Alpha 1
    cpe:2.3:a:drupal:drupal:8.3.0:alpha1
  • Drupal 8.3.0 Beta 1
    cpe:2.3:a:drupal:drupal:8.3.0:beta1
  • Drupal 8.3.0 Release Candidate 1
    cpe:2.3:a:drupal:drupal:8.3.0:rc1
  • Drupal 8.3.0 Release Candidate 2
    cpe:2.3:a:drupal:drupal:8.3.0:rc2
  • Drupal 8.3.1
    cpe:2.3:a:drupal:drupal:8.3.1
  • Drupal 8.3.2
    cpe:2.3:a:drupal:drupal:8.3.2
  • Drupal 8.3.3
    cpe:2.3:a:drupal:drupal:8.3.3
  • Drupal 8.3.4
    cpe:2.3:a:drupal:drupal:8.3.4
  • Drupal 8.3.5
    cpe:2.3:a:drupal:drupal:8.3.5
  • Drupal 8.3.6
    cpe:2.3:a:drupal:drupal:8.3.6
  • Drupal 8.3.7
    cpe:2.3:a:drupal:drupal:8.3.7
CVSS
Base: 4.0
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-0FBD57C134.NASL
    description - [8.3.7](https://www.drupal.org/project/drupal/releases/8 .3.7) - [SA-CORE-2017-004 (CVE-2017-6923, CVE-2017-6924, CVE-2017-6925)](https://www.drupal.org/SA-CORE-2017-004) - [8.3.6](https://www.drupal.org/project/drupal/releases/8 .3.6) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-01
    plugin id 103097
    published 2017-09-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103097
    title Fedora 26 : drupal8 (2017-0fbd57c134)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-902970C18F.NASL
    description - [8.3.7](https://www.drupal.org/project/drupal/releases/8 .3.7) - [SA-CORE-2017-004 (CVE-2017-6923, CVE-2017-6924, CVE-2017-6925)](https://www.drupal.org/SA-CORE-2017-004) - [8.3.6](https://www.drupal.org/project/drupal/releases/8 .3.6) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-01
    plugin id 103103
    published 2017-09-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103103
    title Fedora 25 : drupal8 (2017-902970c18f)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_473B6A9E849311E7B24B6CF0497DB129.NASL
    description Drupal Security Team : CVE-2017-6923: Views - Access Bypass - Moderately Critical CVE-2017-6924: REST API can bypass comment approval - Access Bypass - Moderately Critica CVE-2017-6925: Entity access bypass for entities that do not have UUIDs or have protected revisions - Access Bypass - Critical
    last seen 2019-02-21
    modified 2019-02-01
    plugin id 102615
    published 2017-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102615
    title FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (473b6a9e-8493-11e7-b24b-6cf0497db129)
  • NASL family CGI abuses
    NASL id DRUPAL_8_3_7.NASL
    description According to its self-reported version, the instance of Drupal running on the remote web server is 8.x prior to 8.3.7. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the views subsystem due to a failure to restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. (CVE-2017-6923) - A flaw exists with REST API that allows users without the correct permission to post comments via REST that are approved even if the user does not have permission to post approved comments. (CVE-2017-6924) - A flaw exists in the entity access system that allows unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity. (CVE-2017-6925) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 102714
    published 2017-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102714
    title Drupal 8.x < 8.3.7 Multiple Vulnerabilities (SA-CORE-2017-004)
refmap via4
bid 100368
confirm https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple
sectrack 1039200
Last major update 22-01-2019 - 11:29
Published 22-01-2019 - 10:29
Last modified 13-02-2019 - 11:34
Back to Top