4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.967 High
EPSS
Percentile
99.7%
Users without βAdminister commentsβ can set comment visibility on nodes they can edit. (Less critical)
Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
Cross-site Scripting in http exceptions (critical)
An attacker could create a specially crafted url, which could execute arbitrary code in the victimβs browser if loaded. Drupal was not properly sanitizing an exception
Full config export can be downloaded without administrative permissions (critical)
The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.
8.x
Upgrade to Drupal 8.1.10
Users without βAdminister commentsβ can set comment visibility on nodes they can edit.
XSS in http exceptions
Full config export can be downloaded without administrative permissions
Users without βAdminister commentsβ can set comment visibility on nodes they can edit.
XSS in http exceptions
Full config export can be downloaded without administrative permissions
www.drupal.org/u/larowlan
www.drupal.org/u/q2u
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/drupal
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/catch
www.drupal.org/u/dsnopek
www.drupal.org/u/heine"
www.drupal.org/u/kierheyl
www.drupal.org/u/pere-orga
www.drupal.org/u/stefanr-0
www.drupal.org/user/1060446
www.drupal.org/user/118908
www.drupal.org/user/157725
www.drupal.org/user/421070
www.drupal.org/user/49851
www.drupal.org/user/556138
www.drupal.org/user/65776
www.drupal.org/user/99340
www.drupal.org/writing-secure-code
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.967 High
EPSS
Percentile
99.7%