CVE-2017-6923: Missing Authorization in Drupal
6.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5121%
CWE
Published
10/10/2019
Updated
2/6/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
drupal/core | composer | >= 8.0, < 8.3.7 | 8.3.7 |
drupal/drupal | composer | >= 8.0, < 8.3.7 | 8.3.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing authorization checks in both the AJAX
endpoint handler (ViewAjaxController::ajaxView
) and its route configuration. The controller method processes AJAX
requests without validating whether the targeted view was explicitly configured to use AJAX
, while the route's access controls failed to enforce this requirement. This combination allowed unauthorized access to views' AJAX
endpoints regardless of their configuration. The high confidence comes from Drupal
's architecture where route definitions and controller methods are primary points for access control, and the CVE
description explicitly implicates the views subsystem's failure to restrict AJAX
endpoint access.