Drupal researchers released a security report on August 16, 2017, claiming that several bugs in Drupal 8 have been fixed and security patches have been updated online. According to research, the vulnerabilities affect multiple system components of Drupal 8, including the entity access system, REST API, and some view components.
See the following for more information about the vulnerability.
CVE identifier
CVE-2017-6923, CVE-2017-6924, CVE-2017-6925
Vulnerability name
Multiple Dural high-risk vulnerabilities
Vulnerability rating
High
Vulnerability description
CVE-2017-6925
This vulnerability in Drupal 8.3.7 affects entity systems and allows an attacker to view, create, delete, or update entities. However, the vulnerability only affects entity systems that do not have UUID entities and have multiple access restrictions on different versions of the same entity.
CVE-2017-6924
This vulnerability in Drupal 8 allows an attacker to bypass access permissions. When residing in the REST API, any user without access permissions can post comments over REST. Currently, this vulnerability has been evaluated as highly risky because it affects sites that have the RESTful Web Services module and the comment entity REST resource enabled.
CVE-2017-6923
This critical vulnerability in Drupal 8 affects the view components. When creating a view, a user can optionally use Ajax to update the displayed data through filter parameters. The views subsystem/module does not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.
Condition and method of exploitation
Remote exploitation
Affected scope
Drupal core 8.x < 8.3.7
Drupal 7 core is not affected
Vulnerability detection
Check whether any affected version is used.
How to fix or mitigate
Drupal 8 users are advised to upgrade to the latest official version.
Reference
[1]. http://securityaffairs.co/wordpress/62096/hacking/drupal-8-updates.html