Drupal has released an advisory to address vulnerabilities in Drupal core 8.x versions prior to 8.1.10. Exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system. Following vulnerabilities were fixed in released security update.
- Full config export can be downloaded without administrative permissions (Critical) - The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.
- Users without "Administer comments" can set comment visibility on nodes they can edit. (High) - Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
- Cross-site Scripting in http exceptions (High) - An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception.
Upgrade to Drupal 8.1.10