Drupal has released security update

Drupal has released an advisory to address vulnerabilities in Drupal core 8.x versions prior to 8.1.10. Exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system. Following vulnerabilities were fixed in released security update.

  • Full config export can be downloaded without administrative permissions (Critical) - The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.
  • Users without "Administer comments" can set comment visibility on nodes they can edit. (High) - Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
  • Cross-site Scripting in http exceptions (High) - An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception.

Versions affected

8.x

Solution

Upgrade to Drupal 8.1.10

More Information

https://www.drupal.org/SA-CORE-2016-004

logofooter2

Member of

logo apcertfirst logo-2

Collaborated with

apwg2ICTA logo2ack cymru

Our Partners
lanka-certify-logoDark-Lab-Logo2contact