Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
[
{
"product": "Drupal Core",
"vendor": "Drupal",
"versions": [
{
"status": "affected",
"version": "8.2.x versions before 8.2.7"
}
]
}
]