GHSA-v3f6-f29f-rgvp · Severity: medium · Ecosystem: composer — Missing Authorization in Drupal
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.
Conclusion & alert: CVE-2017-6923 is rated Moderate Risk (52.5/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.63%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.71% | 1.63% | +0.91% |
| 2 | 2026-02-09 | 0.82% | 0.71% | -0.11% |
| 3 | 2025-12-28 | — | 0.82% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.0 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
| 4.0 | 2.0 | MEDIUM |
|
8.0 | 2.9 | [email protected] |
GHSA-v3f6-f29f-rgvp · Severity: medium · Ecosystem: composer — Missing Authorization in Drupal
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/100368 | Third Party Advisory VDB Entry |
| http://www.securitytracker.com/id/1039200 | Third Party Advisory VDB Entry |
| https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2017-08-16/drupal-core-multiple | Patch Release Notes Vendor Advisory |