Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.
http://www.securitytracker.com/id/1036886
http://www.securityfocus.com/bid/93101
https://www.drupal.org/SA-CORE-2016-004
Source: Mitre, NVD
Published: 2016-10-03
Updated: 2025-04-12
Base Score: 4
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N
Severity: Medium
Base Score: 4.3
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS: 0.0052