The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and βadd unexpected content to a Colorboxβ via unspecified vectors, possibly related to a link in a comment.