CVE-2026-43934
Description
e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the application depends only on a predictable identifier in the request to determine which comment to edit, without confirming the requesting user’s ownership of the comment. This vulnerability is fixed in 2.3.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
e107 CMS before 2.3.4 allows authenticated users to edit any comment by manipulating a predictable comment ID, due to missing ownership checks.
Vulnerability
In e107 CMS versions prior to 2.3.4, a Broken Access Control vulnerability exists in comment.php. The server-side code that handles comment updates does not verify that the requesting user is the author of the comment before applying the edit. The vulnerable code path is triggered via an AJAX request to comment.php with mode=edit and relies only on a predictable itemid parameter and a comment POST value. Affected versions are all e107 releases up to and including 2.3.3 [1][2].
Exploitation
An authenticated user can edit any comment by sending a crafted POST request to comment.php?ajax_used=1&mode=edit with the target comment's itemid and arbitrary comment content. The server does not check the comment_author_id field, so the attacker can modify comments made by other users. The PoC demonstrates a successful edit of comment ID 2 with a simple HTTP POST [1].
Impact
A successful attack results in a data integrity compromise: an attacker can alter any existing comment to contain incorrect or malicious content, thereby undermining the authenticity and trustworthiness of user contributions. The attacker gains unauthorized write access to comment data without needing any special privileges beyond a valid user session [1].
Mitigation
The vulnerability is fixed in e107 version 2.3.4, released on the same day as the advisory (2026-05-26). The fix adds a condition in the SQL UPDATE statement to restrict the edit to rows where comment_author_id matches the current user's ID [2]. Users should upgrade to version 2.3.4 or later. No workarounds have been documented; if upgrading is not immediately possible, disabling the comment edit feature via the allowCommentEdit preference may reduce risk, but this has not been validated as a complete mitigation.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
123961a8ffix(comment): Restrict comment edits to the comment's author
1 file changed · +1 −1
e107_handlers/comment_class.php+1 −1 modified@@ -632,7 +632,7 @@ function updateComment($id, $comment) $comment = trim($comment); - if(!e107::getDb()->update("comments","comment_comment=\"".$tp->toDB($comment)."\" WHERE comment_id = ".intval($id)."")) + if(!e107::getDb()->update("comments","comment_comment=\"".$tp->toDB($comment)."\" WHERE comment_id = ".(int) $id.' AND comment_author_id = '.(int) USERID)) { return "Update Failed"; // trigger ajax error message. }
Vulnerability mechanics
Root cause
"Missing server-side ownership check in `comment::updateComment()` allows an authenticated user to edit any comment by supplying its numeric ID."
Attack vector
An authenticated attacker sends a POST request to `/comment.php?ajax_used=1&mode=edit` with a `comment` payload and an `itemid` parameter set to the ID of another user's comment [ref_id=1]. The server-side code lacks an ownership check, so the SQL UPDATE matches only on `comment_id` and overwrites the target comment's content regardless of who the author is [patch_id=2563977]. The attacker needs no special privileges beyond a valid session and the `allowCommentEdit` preference must be enabled [ref_id=1].
Affected code
The vulnerable code is in `comment.php` at line 93, where `e107::getComment()->updateComment($_POST['itemid'],$_POST['comment'])` is called without verifying that the authenticated user owns the comment being edited [ref_id=1]. The `updateComment()` function in `e107_handlers/comment_class.php` previously performed a SQL UPDATE matching only `comment_id`, with no check on `comment_author_id` [patch_id=2563977].
What the fix does
The patch modifies the SQL WHERE clause in `updateComment()` from `WHERE comment_id = ...` to `WHERE comment_id = ... AND comment_author_id = USERID` [patch_id=2563977]. This ensures the UPDATE only affects rows where the authenticated user's ID matches the comment's author ID, so cross-user edit attempts return "Update Failed" instead of mutating the row [patch_id=2563977]. The fix is included in e107 v2.3.4 [ref_id=1].
Preconditions
- authThe attacker must have a valid authenticated session on the e107 CMS.
- configThe 'allowCommentEdit' preference must be enabled in the admin panel.
- inputThe attacker must know or guess the target comment's itemid (a predictable integer identifier).
- networkThe attacker must be able to send HTTP POST requests to the /comment.php endpoint.
Reproduction
1. Authenticate as a regular user on the e107 CMS. 2. Identify the `itemid` of another user's comment (e.g., `itemid=2`). 3. Send a POST request to `/comment.php?ajax_used=1&mode=edit` with body `comment=___POC___&itemid=2`. 4. Observe the response `{"error":false,"msg":"Updated successfully."}` confirming the target comment was overwritten [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.