Open source content management (CMS) platform Drupal has issued security patches to address several critical vulnerabilities affecting Drupal 6 and 7.


According to the Wednesday advisory, versions of Drupal prior to 6.37 and 7.39 contain three vulnerabilities, including a cross-site scripting bug in the Autocomplete system, a cross-site request forgery bug in Form API, and an information disclosure flaw in Access system.


The cross-site forgery vulnerability located in Form API “could allow a malicious user to upload files to the site under another user's account,” the advisory said.


Vulnerable versions of Drupal 7 are affected by two additional issues, including a cross-site scripting bug in the Ajax system and a SQL injection vulnerability in Database API.


The SQL injection vulnerability can enable a “user with elevated permissions to inject malicious code in SQL comments,” the advisory said.