Drupal is a free and open-source content management framework written in PHP and distributed under the GNU General Public License. It is also used for knowledge management and business collaboration.
Drupal contains the following security vulnerabilities:
CVE-2017-6923: When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view.
CVE-2017-6924: When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments.
CVE-2017-6925: There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity..
Affected Versions:
Drupal core 8.x versions prior to 8.3.7
QID Detection Logic:
This QID depends on BlindElephant engine to detect the version of the Drupal installation as active attacks could potentially harm live installations.
