- Advisory ID: DRUPAL-SA-CORE-2016-004
- Project: Drupal core
- Version:li 8.x
- Date: 2016-September-21
- Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default
Description
Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical)
Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
Cross-site Scripting in http exceptions (critical)
An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception
Full config export can be downloaded without administrative permissions (critical)
The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.
CVE identifier(s) issued
- Users without "Administer comments" can set comment visibility on nodes they can edit: CVE-2016-7570
- Cross-site Scripting in http exceptions: CVE-2016-7571
- Full config export can be downloaded without administrative permissions: CVE-2016-7572
Versions affected
8.x
Solution
Upgrade to Drupal 8.1.10
Reported by
Users without "Administer comments" can set comment visibility on nodes they can edit.
XSS in http exceptions
Full config export can be downloaded without administrative permissions
Fixed by
Users without "Administer comments" can set comment visibility on nodes they can edit.
- Lee Rowlands of the Drupal Security Team
- Stefan Ruijsenaars of the Drupal Security Team
- Andrey Postnikov
- Daniel Wehner
XSS in http exceptions
- xjm of the Drupal Security Team
- Daniel Wehner
- Alex Pott of the Drupal Security Team
- Cash Williams of the Drupal Security Team
- Pere Orga of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
Full config export can be downloaded without administrative permissions
- Nathaniel Catchpole of the Drupal Security Team
- Alex Pott of the Drupal Security Team
- Anton Shubkin
- xjm of the Drupal Security Team
- Peter Wolanin of the Drupal Security Team
Coordinated by
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity