File upload access bypass and denial of service (File
module - Drupal 7 and 8 - Moderately Critical)
Brute force amplification attacks via XML-RPC (XML-RPC
server - Drupal 6 and 7 - Moderately Critical)
Open redirect via path manipulation (Base system -
Drupal 6, 7 and 8 - Moderately Critical)
Form API ignores access restrictions on submit buttons
(Form API - Drupal 6 - Critical)
HTTP header injection using line breaks (Base system -
Drupal 6 - Moderately Critical)
Open redirect via double-encoded 'destination'
parameter (Base system - Drupal 6 - Moderately Critical)
Reflected file download vulnerability (System module -
Drupal 6 and 7 - Moderately Critical)
Saving user accounts can sometimes grant the user all
roles (User module - Drupal 6 and 7 - Less Critical)
Email address can be matched to an account (User module
- Drupal 7 and 8 - Less Critical)
Session data truncation can lead to unserialization of
user provided data (Base system - Drupal 6 - Less Critical)