Drupal Core – Critical – Multiple Vulnerabilities

Posted on Posted in Drupal

Decription: Multiple Vulnerabilities had been recently fixed by drupal team.

Changes:

  • Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
  • An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception
  • The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

Affected versions: 8.x

Recommended action: Upgrade to Drupal 8.1.10

Origin URLs:

  • https://www.drupal.org/SA-CORE-2016-004

Leave a Reply

Your email address will not be published. Required fields are marked *