Drupal patched multiple vulnerabilities in both Drupal 7 and Drupal 8 including a comment reply form flaw that allows access to restricted content and an incomplete JavaScript cross-site scripting prevention flaw, both rated critical.
The comment reply form vulnerability was mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments, according to a Feb. 21 security advisory.
The update also included patches to a private file access bypass flaw, a jQuery vulnerability with untrusted domains, a language fallback can be incorrect on multilingual sites with node access restrictions, and a settings tray access bypass, all of which were rated moderately critical.
A less critical external link injection on 404 page issue that could allow an attacker to trick users into unwillingly navigating to an external site was also addressed.