Description

Users who have rights to edit a node, can set the visibility on comments for that node.

  • Advisory ID: DRUPAL-SA-CORE-2016-004
  • Project: Drupal core
  • Version:li 8.x
  • Date: 2016-September-21
  • Security risk: 18/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:Default
  • Vulnerability:

Description

Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical)

Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

Cross-site Scripting in http exceptions (critical)

An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception

Full config export can be downloaded without administrative permissions (critical)
The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

8.x

Solution

Upgrade to Drupal 8.1.10

Reported by

Users without "Administer comments" can set comment visibility on nodes they can edit.

  • Quintus Maximus
  • Kier Heyl

XSS in http exceptions

Full config export can be downloaded without administrative permissions

Fixed by

Users without "Administer comments" can set comment visibility on nodes they can edit.

  • Lee Rowlands of the Drupal Security Team
  • Stefan Ruijsenaars of the Drupal Security Team
  • Andrey Postnikov
  • Daniel Wehner

XSS in http exceptions

  • xjm of the Drupal Security Team
  • Daniel Wehner
  • Alex Pott of the Drupal Security Team
  • Cash Williams of the Drupal Security Team
  • Pere Orga of the Drupal Security Team
  • David Snopek of the Drupal Security Team
  • Heine Deelstra of the Drupal Security Team

Full config export can be downloaded without administrative permissions

  • Nathaniel Catchpole of the Drupal Security Team
  • Alex Pott of the Drupal Security Team
  • Anton Shubkin
  • xjm of the Drupal Security Team
  • Peter Wolanin of the Drupal Security Team

Coordinated by

The Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity