Drupal researchers released a security report on August 16, 2017, claiming that several bugs in Drupal 8 have been fixed and security patches have been updated online. According to research, the vulnerabilities affect multiple system components of Drupal 8, including the entity access system, REST API, and some view components.
See the following for more information about the vulnerability.
CVE-2017-6923, CVE-2017-6924, CVE-2017-6925
Multiple Dural high-risk vulnerabilities
This vulnerability in Drupal 8.3.7 affects entity systems and allows an attacker to view, create, delete, or update entities. However, the vulnerability only affects entity systems that do not have UUID entities and have multiple access restrictions on different versions of the same entity.
This vulnerability in Drupal 8 allows an attacker to bypass access permissions. When residing in the REST API, any user without access permissions can post comments over REST. Currently, this vulnerability has been evaluated as highly risky because it affects sites that have the RESTful Web Services module and the comment entity REST resource enabled.
This critical vulnerability in Drupal 8 affects the view components. When creating a view, a user can optionally use Ajax to update the displayed data through filter parameters. The views subsystem/module does not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.
Condition and method of exploitation
Drupal core 8.x < 8.3.7
Drupal 7 core is not affected
Check whether any affected version is used.
How to fix or mitigate
Drupal 8 users are advised to upgrade to the latest official version.