The Drupal Security Team issued updates for a pair of critical flaws, one allowing remote code execution and another giving access to parts of the system without full administrative permissions.
The first critical issue is cross-site scripting exceptions that would allow an attacker, who created a specially crafted URL, to execute arbitrary code in a victim’s browser. This vulnerability existed because Drupal was not properly sanitizing an exception. The second would allow non-authorized personnel to download a full config report, which should normally be limited to only those with export configuration permission.
A less critical problem was also patched, stopping users who only have rights to edit a node from being able to set the visibility of comments for that node.
The updates are listed under advisory DRUPAL-SA-CORE-2016-004. The vulnerabilities affect Drupal version 8.x and are patched by upgrading to version 8.1.10.