Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 594718 - <www-apps/drupal-8.1.10: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-004)
Summary: <www-apps/drupal-8.1.10: Multiple Vulnerabilities (DRUPAL-SA-CORE-2016-004)
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.drupal.org/SA-CORE-2016-004
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-21 19:08 UTC by MickKi
Modified: 2016-11-18 08:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description MickKi 2016-09-21 19:08:07 UTC
Request for version bump to www-apps/drupal-8.1.10 due to multiple security vulnerabilities:

1. Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical):

Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.

2. Cross-site Scripting in http exceptions (critical):

An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception

3. Full config export can be downloaded without administrative permissions (critical):

The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.

Reproducible: Always
Comment 1 Jorge Manuel B. S. Vicetto Gentoo Infrastructure gentoo-dev 2016-11-18 04:15:23 UTC
This can be moved to bug 600124 as newer versions were added to the tree.