A flaw was found in Drupal 8. Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.
This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.
Created drupal8 tracking bugs for this issue:
Affects: fedora-all [bug 1548188]
All dependent bugs have been closed. Can this tracking bug be closed as well?
In reply to comment #2:
> All dependent bugs have been closed. Can this tracking bug be closed as
drupal6-6.38-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.