September 2016

Drupal Core - Critical - Multiple Vulnerabilities

DESCRIPTION

Users who have rights to edit a node, can set the visibility on comments for that node.

* Advisory ID: DRUPAL-SA-CORE-2016-004
* Project: Drupal core
* Version:li 8.x
* Date: 2016-September-21
* Security risk: 18/25 ( Critical)
* Vulnerability:

DESCRIPTION

Users without "Administer comments" can set comment visibility on nodes they can edit.

Flag Lists - Moderately Critical - Cross Site Scripting

* Advisory ID: DRUPAL-SA-CONTRIB-2016-051
* Project: Flag Lists (third-party module)
* Version: 7.x
* Date: 2016-September-07
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting

DESCRIPTION

This module enables regular users to create unlimited private flags called
lists.

The flag_lists module doesn't sufficiently filter the output when applying
token strings to flag_lists links leading to a persistent Cross Site
Scripting (XSS) attack.