Decription: Multiple Vulnerabilities had been recently fixed by drupal team.
- Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
- An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception
- The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.
Affected versions: 8.x
Recommended action: Upgrade to Drupal 8.1.10