Drupal patches multiple vulnerabilities in versions 6 and 7
The security team for open source content management system (CMS) Drupal has released an advisory that details vulnerabilities affecting versions 6 and 7 of the platform and directs users to updated versions of the software.
According to the Wednesday advisory, the CMS was vulnerable to one “critical” vulnerability in its OpenID module that “allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.”
While the vulnerability allowing user “impersonation” affected Drupal versions 6 and 7, three other “less critical” bugs impacting Drupal 7 were also addressed with the updates: two open redirect flaws and an information disclosure vulnerability. Drupal 6 users can upgrade to Drupal core 6.36, while Drupal 7 users can install Drupal core 7.38, the advisory said.