The core OpenID module does not correctly implement Form API for
the form that allows one to link user accounts with OpenID
identifiers. A malicious user is therefore able to use cross site
request forgeries to add attacker controlled OpenID identities to
existing accounts. These OpenID identities can then be used to gain
access to the affected accounts.
The OpenID module is not a compliant implementation of the OpenID
Authentication 2.0 specification. An implementation error allows a
user to access the account of another user when they share the same
OpenID 2.0 provider.
File uploads with certain extensions are not correctly processed by
the File API. This may lead to the creation of files that are
executable by Apache. The .htaccess that is saved into the files
directory by Drupal should normally prevent execution. The files are
only executable when the server is configured to ignore the directives
in the .htaccess file.
Drupal doesn't regenerate the session ID when an anonymous user
follows the one time login link used to confirm email addresses and
reset forgotten passwords. This enables a malicious user to fix and
reuse the session id of a victim under certain circumstances.