Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| drupal/core(Packagist) | 8.0 | 8.2.8 | N/A |
| drupal/core(Packagist) | 8.3.0 | 8.3.1 | N/A |
| drupal/drupal(Packagist) | 8.0 | 8.2.8 | N/A |
| drupal/drupal(Packagist) | 8.3.0 | 8.3.1 | N/A |
CVSS Metrics
