Drupal 8.1.10
26 September 2016
Drupal version 8.1.10 is now available.
Upgrading to Drupal 8.1.10
Drupal 8.1.10 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Drupal updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Drupal install to test the 8.1.10 upgrade prior to applying it live. Get started managing your Drupal installations with Installatron
What's New in Drupal 8.1.10
Security
- Users without "Administer comments" can set comment visibility on nodes they can edit. (Less critical). Users who have rights to edit a node, can set the visibility on comments for that node. This should be restricted to those who have the administer comments permission.
- Cross-site Scripting in http exceptions (critical): An attacker could create a specially crafted url, which could execute arbitrary code in the victim’s browser if loaded. Drupal was not properly sanitizing an exception
- Full config export can be downloaded without administrative permissions (critical): The system.temporary route would allow the download of a full config export. The full config export should be limited to those with Export configuration permission.