Multiple vulnerabilities have been reported in Drupal core 8.x version prior to 8.1.10. Drupal is an open source content management system (CMS) written in PHP. A successful exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system.
Drupal core 8.0.x versions prior to 8.1.10
Multiple vulnerabilities have been reported in Drupal Core 8.x version prior to 8.1.10. These vulnerabilities could allow Unauthorized Access. The vulnerabilities are as follows:
Users without "Administer comments" can set comment visibility on nodes they can edit: Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
Cross-site Scripting in http exceptions: An attacker could create a specially crafted url, which could execute arbitrary code in the victim's browser if loaded. Drupal was not properly sanitizing an exception
Full config export can be downloaded without administrative permissions: The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.
A successful exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system.
After appropriate testing, apply the upgrade provided by Drupal to Drupal core 8.1.10
NOTE: Update only applies to Drupal Core 8.x