6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-6923

GHSA ID

GHSA-v3f6-f29f-rgvp

EPSS Score

0.5121%

CWE

CWE-862

Published

10/10/2019

Updated

2/6/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-6923

CVE-2017-6923: Missing Authorization in Drupal

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

(GitHub Advisory)

6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-6923

GHSA ID

GHSA-v3f6-f29f-rgvp

EPSS Score

0.5121%

CWE

CWE-862

Published

10/10/2019

Updated

2/6/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
drupal/core	composer	>= 8.0, < 8.3.7	8.3.7
drupal/drupal	composer	>= 8.0, < 8.3.7	8.3.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authorization checks in both the AJAX endpoint handler (ViewAjaxController::ajaxView) and its route configuration. The controller method processes AJAX requests without validating whether the targeted view was explicitly configured to use AJAX, while the route's access controls failed to enforce this requirement. This combination allowed unauthorized access to views' AJAX endpoints regardless of their configuration. The high confidence comes from Drupal's architecture where route definitions and controller methods are primary points for access control, and the CVE description explicitly implicates the views subsystem's failure to restrict AJAX endpoint access.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *rup*l *.x prior to *.*.* W**n *r**tin* * vi*w, you **n option*lly us* *j*x to up**t* t** *ispl*y** **t* vi* *ilt*r p*r*m*t*rs. T** vi*ws su*syst*m/mo*ul* *i* not r*stri*t ****ss to t** *j*x *n*point to only vi*ws *on*i*ur** to us* *j*x. T*is is m

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks in *ot* t** `*J*X` *n*point **n*l*r (`Vi*w*j*x*ontroll*r::*j*xVi*w`) *n* its rout* *on*i*ur*tion. T** *ontroll*r m*t*o* pro**ss*s `*J*X` r*qu*sts wit*out v*li**tin* w**t**r t** t*r**t** vi*w w

6.5

Basic Information

Concerned about an active attack path?

CVE-2017-6923: Missing Authorization in Drupal

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI