Best Reply - Moderately Critical - Access Bypass

Project

Best Reply

Date

March 04, 2026

Severity

Moderately Critical

Risk Score

13/25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability

Access Bypass via Insufficient Comment Access Controls

Affected versions

<7.x-1.6

Description

The Best Reply module for Drupal 7 provides functionality for marking comments as "best replies" in discussions. The module includes a menu callback at that retrieves comment data for display.

The vulnerability existed in the menu callback configuration where the module used a generic access check that allowed any user with the "access content" permission to retrieve any comment by its ID, bypassing proper access controls for node access, comment publication status, and content visibility rules.

This vulnerability could lead to information disclosure of comments on restricted content, content enumeration, and privacy violations for private discussions.

Solution

Install the latest version.

If you use the 7.x-1.5 module for Drupal 7, upgrade to bestreply 7.x-1.6:

Reported by

Ra Mänd (ram4nd)

Fixed by

Tag1 D7ES

Coordinated by

Tag1 D7ES