Drupal Improper Access Control Vulnerability - CVE-2016-3162

The File module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allows remote authenticated users to bypass access restrictions and read delete or substitute a link to a file uploaded to an unprocessed form by leveraging permission to create content or comment and upload files.