594718 – <www-apps/drupal-8.1.10: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-004)

Bug 594718 - <www-apps/drupal-8.1.10: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-004)

Summary: <www-apps/drupal-8.1.10: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-004)

Status:	RESOLVED OBSOLETE

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://www.drupal.org/SA-CORE-2016-004
Whiteboard:	~3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-09-21 19:08 UTC by MickKi
Modified:	2016-11-18 08:16 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description MickKi 2016-09-21 19:08:07 UTC

Request for version bump to www-apps/drupal-8.1.10 due to multiple security vulnerabilities:

1. Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical):

Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

2. Cross-site Scripting in http exceptions (critical):

An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception

3. Full config export can be downloaded without administrative permissions (critical):

The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

Reproducible: Always

Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure

2016-11-18 04:15:23 UTC

This can be moved to bug 600124 as newer versions were added to the tree.