This security advisory fixes multiple vulnerabilities.
See below for a list.
Cross-site Scripting - Ajax system - Drupal 7
A vulnerability was found that allows a malicious
user to perform a cross-site scripting attack by
invoking Drupal.ajax() on a whitelisted HTML element.
This vulnerability is mitigated on sites that do not
allow untrusted users to enter HTML.
Cross-site Scripting - Autocomplete system - Drupal 6 and 7
A cross-site scripting vulnerability was found in
the autocomplete functionality of forms. The
requested URL is not sufficiently sanitized.
This vulnerability is mitigated by the fact that
the malicious user must be allowed to upload files.
SQL Injection - Database API - Drupal 7
A vulnerability was found in the SQL comment
filtering system which could allow a user with
elevated permissions to inject malicious code in
SQL comments.
This vulnerability is mitigated by the fact that
only one contributed module that the security team
found uses the comment filtering system in a way
that would trigger the vulnerability. That module
requires you to have a very high level of access
in order to perform the attack.
Cross-site Request Forgery - Form API - Drupal 6 and 7
A vulnerability was discovered in Drupal's form API
that could allow file upload value callbacks to run
with untrusted input, due to form token validation
not being performed early enough. This vulnerability
could allow a malicious user to upload files to the
site under another user's account.
This vulnerability is mitigated by the fact that
the uploaded files would be temporary, and Drupal
normally deletes temporary files automatically
after 6 hours.
Information Disclosure in Menu Links - Access system - Drupal 6 and 7
Users without the "access content" permission
can see the titles of nodes that they do not have
access to, if the nodes are added to a menu on the
site that the users have access to.