Multiple Vulnerabilities in Drupal Core Could Allow Unauthorized Access (DRUPAL-SA-CORE-2016-004)

ITS Advisory Number: 
2016-164
Date(s) Issued: 
Thursday, September 22, 2016
Subject: 
Multiple Vulnerabilities in Drupal Core Could Allow Unauthorized Access (DRUPAL-SA-CORE-2016-004)
Overview: 

Multiple vulnerabilities have been reported in Drupal core 8.x version prior to 8.1.10. Drupal is an open source content management system (CMS) written in PHP. A successful exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system. 

Systems Affected: 
  • Drupal core 8.0.x versions prior to 8.1.10

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been reported in Drupal Core 8.x version prior to 8.1.10. These vulnerabilities could allow Unauthorized Access. The vulnerabilities are as follows:

  • Users without "Administer comments" can set comment visibility on nodes they can edit: Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

  • Cross-site Scripting in http exceptions: An attacker could create a specially crafted url, which could execute arbitrary code in the victim's browser if loaded. Drupal was not properly sanitizing an exception

  • Full config export can be downloaded without administrative permissions: The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

A successful exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system. 

Actions: 
  • After appropriate testing, apply the upgrade provided by Drupal to Drupal core 8.1.10

NOTE: Update only applies to Drupal Core 8.x