Popular content management system (CMS) Drupal has released several patches to address concerning vulnerabilities, including one in Drupal 8 Core engine that could allow remote attackers to view, create, update or delete website content.
This critical access bypass vulnerability joins two moderately critical bypass bugs in the patch round. Drupal Core 8.x versions prior to 8.3.7 are vulnerable, according to the Drupal Security Team.
The more severe issue (CVE-2017-6925) only affects entities that “do not use, or do not have, UUIDs (Universal Unique Identifier), and entities that have different access restrictions on different revisions of the same entity,” Drupal said in its warning.
A second access bypass vulnerability in the Core Engine allows unauthorized persons to view files (CVE-2017-6923)
“When creating a view, you can optionally use Ajax to update the displayed data via filter parameters,” Drupal noted. “The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax.”
The last flaw (CVE-2017-6924) allows users to post comments on webpages, even if they don’t have the permission to do so.
“When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments,” Drupal explained. “This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.”
So far, no working exploits have been uncovered. Mitigation for all Drupal 8 CVEs includes updating to the latest version, Drupal 8.3.7; also, administrators should make sure they have enabled access restrictions on the view.