September 2016

Drupal Core - Critical - Multiple Vulnerabilities


Users who have rights to edit a node, can set the visibility on comments for that node.

* Advisory ID: DRUPAL-SA-CORE-2016-004
* Project: Drupal core
* Version:li 8.x
* Date: 2016-September-21
* Security risk: 18/25 ( Critical)
* Vulnerability:


Users without "Administer comments" can set comment visibility on nodes they can edit.

Flag Lists - Moderately Critical - Cross Site Scripting

* Advisory ID: DRUPAL-SA-CONTRIB-2016-051
* Project: Flag Lists (third-party module)
* Version: 7.x
* Date: 2016-September-07
* Security risk: 14/25 ( Moderately Critical)
* Vulnerability: Cross Site Scripting


This module enables regular users to create unlimited private flags called

The flag_lists module doesn't sufficiently filter the output when applying
token strings to flag_lists links leading to a persistent Cross Site
Scripting (XSS) attack.