The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for “Export configuration” permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.
CPE | Name | Operator | Version |
---|---|---|---|
drupal | eq | 8.0.0 alpha9 | |
drupal | eq | 8.0.0 beta12 | |
drupal | eq | 8.0.0 beta15 | |
drupal | eq | 8.1.0 rc1 | |
drupal | eq | 8.0.0 beta3 | |
drupal | eq | 8.0.0 alpha11 | |
drupal | eq | 8.0.0 rc1 | |
drupal | eq | 8.0.0 beta16 | |
drupal | eq | 8.0.0 alpha4 | |
drupal | eq | 8.1.2 |