Drupal 8.2.7, a maintenance release which contains fixes for security vulnerabilities, is now available for download.
Download Drupal 8.2.7
Upgrading your existing Drupal 8 sites is strongly recommended. There are no new features nor non-security-related bug fixes in this release. See the 8.2.7 release notes for details on important changes and known issues affecting this release. Read on for details of the security vulnerabilities that were fixed in this release.
Advisory ID: DRUPAL-SA-CORE-2017-001
Project: Drupal core
Editor module incorrectly checks access to inline private files – Drupal 8 – Access Bypass – Critical – CVE-2017-6377
When adding a private file via a configured text editor (like CKEditor), the editor will not correctly check access for the file being attached, resulting in an access bypass.
Some admin paths were not protected with a CSRF token – Drupal 8 – Cross Site Request Forgery – Moderately Critical – CVE-2017-6379
Some administrative paths did not include