Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 594718

Summary: <www-apps/drupal-8.1.10: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-004)
Product: Gentoo Security Reporter: MickKi <confabulate>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: trivial CC: web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.drupal.org/SA-CORE-2016-004
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description MickKi 2016-09-21 19:08:07 UTC 
Request for version bump to www-apps/drupal-8.1.10 due to multiple security vulnerabilities:

1. Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical):

Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

2. Cross-site Scripting in http exceptions (critical):

An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception

3. Full config export can be downloaded without administrative permissions (critical):

The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

Reproducible: Always
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-11-18 04:15:23 UTC 
This can be moved to bug 600124 as newer versions were added to the tree.