A 3rd party development library including with Drupal 8 development
dependencies is vulnerable to remote code execution. This is mitigated by
the default .htaccess protection against PHP execution, and the fact that
Composer development dependencies aren't normal installed. You might be
vulnerable to this if you are running a version of Drupal before 8.2.2. To
be sure you aren't vulnerable, you can remove the <siteroot>/vendor/phpunit
directory from your production deployments
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include
protection for CSRF. This would allow an attacker to disable some blocks on
a site. This issue is mitigated by the fact that users would have to know
the block ID.
When adding a private file via the editor in Drupal 8.2.x before 8.2.7, the
editor will not correctly check access for the file being attached,
resulting in an access bypass.
Already in repository. Repository is clean. All done.