An advisory was issued on Wednesday regarding a denial-of-service (DoS) vulnerability in Drupal 7 and a session hijacking flaw in Drupal 6 and 7.
The DoS vulnerability exists in a password hashing API, the advisory indicates, explaining that an anonymous user can send specially crafted requests that result in CPU and memory exhaustion and, subsequently, the site becoming unavailable or unresponsive.
For the session hijacking flaw, a “specially crafted request can give a user access to another user’s session, allowing an attacker to hijack a random session,” according to the post.
Upgrading to Drupal core 6.34 or 7.34 will address the “moderately critical” issues, the post indicates. Users who configured a custom session.inc file for Drupal 6 or 7 sites, or a custom password.inc file for Drupal 7 sites, should ensure it is not affected by these vulnerabilities.