Insufficient Access Control in Drupal 8.x before 8.1.10

Insufficient Access Control in Drupal 8.x before 8.1.10

CVE-2016-7572 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:N/A:N

The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors.

Learn more about our User Device Pen Test.