CVE-2017-6931
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for. If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses. This vulnerability can be mitigated by disabling the Settings Tray module.
Known Affected Software
5 configuration(s) from 1 vendor(s)
drupal
Version:
8.4.2
CPE:
cpe:2.3:a:drupal:drupal:8.4.2:*:*:*:*:*:*:*
drupal
Version:
8.4.3
CPE:
cpe:2.3:a:drupal:drupal:8.4.3:*:*:*:*:*:*:*
drupal
Version:
8.4.1
CPE:
cpe:2.3:a:drupal:drupal:8.4.1:*:*:*:*:*:*:*
drupal
Version:
8.4.4
CPE:
cpe:2.3:a:drupal:drupal:8.4.4:*:*:*:*:*:*:*
drupal
Version:
8.4.0
CPE:
cpe:2.3:a:drupal:drupal:8.4.0:-:*:*:*:*:*:*
This vulnerability affects 5 software configuration(s). Ensure you patch all affected systems.
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-434
Top 25 #5
Unrestricted Upload of File with Dangerous Type
- Description
- The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
- Exploit Likelihood
- Medium
- Typical Severity
- Medium
- OWASP Top 10
- A04:2021-Insecure Design
- Abstraction Level
- Base
Key Information
- Published Date
- March 01, 2018
