Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004

🗓️ 21 Sep 2016 00:00:00Reported by Drupal Security TeamType

Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-004 Users without "Administer comments" can set comment visibility on nodes they can edit. Cross-site Scripting in http exceptions Full config export can be downloaded without administrative permissions. Users affected: 8.x. Solution: Upgrade to Drupal 8.1.10. Reported by Quintus Maximus, Kier Heyl, Ivan, Anton Shubkin. Fixed by Lee Rowlands, Stefan Ruijsenaars, Andrey Postnikov, Daniel Wehner, xjm, Alex Pott, Cash Williams, Pere Orga, David Snopek, Heine Deelstra, Nathaniel Catchpole, Peter Wolanin. Coordinated by The Drupal Security Team.

Reporter	Title	Published	Views	Family All 46
Tenable Nessus	Drupal 8.1.x < 8.1.10 Multiple Vulnerabilities	28 Oct 201600:00	–	nessus
Tenable Nessus	Drupal 8.x < 8.1.10 Multiple Vulnerabilities	13 Oct 201600:00	–	nessus
Tenable Nessus	Drupal 8.2.x < 8.2.0-rc2 Multiple Vulnerabilities	5 Nov 201800:00	–	nessus
Tenable Nessus	Drupal 8.x < 8.1.10 Multiple Vulnerabilities	5 Nov 201800:00	–	nessus
ATTACKERKB	CVE-2016-7570	3 Oct 201618:59	–	attackerkb
ATTACKERKB	CVE-2016-7571	3 Oct 201618:59	–	attackerkb
ATTACKERKB	CVE-2016-7572	3 Oct 201618:59	–	attackerkb
CNVD	Drupal Core Cross-Site Scripting Vulnerability (CNVD-2016-08263)	28 Sep 201600:00	–	cnvd
CNVD	Drupal Core Access Bypass Vulnerability	30 Sep 201600:00	–	cnvd
CNVD	Drupal Core Access Bypass Vulnerability (CNVD-2016-08687)	10 Oct 201600:00	–	cnvd

Source	Link
drupal	www.drupal.org/u/heine%22
drupal	www.drupal.org/u/q2u
drupal	www.drupal.org/user/99340
drupal	www.drupal.org/contact
drupal	www.drupal.org/user/65776
drupal	www.drupal.org/project/drupal
drupal	www.drupal.org/user/1060446
drupal	www.drupal.org/user/118908
drupal	www.drupal.org/u/stefanr-0
drupal	www.drupal.org/u/pere-orga

21 Sep 2016 00:00Current

5.1Medium risk

Vulners AI Score5.1

CVSS 24.3

CVSS 36.1

EPSS0.01716