The Drupal security team has announced critical updates in the Drupal software. Related to comment visibility, cross site scripting and unauthorised export of all configurations:
For the comments editing a user without the permission to administer comments the visibility of nodes can be set. Whoever has rights to edit a node can also change the visibility of comments for that node. This issue is not critical.