Impersonation (OpenID module - Drupal 6 and 7 - Critical)
A vulnerability was found in the OpenID module that allows
a malicious user to log in as other users on the site,
including administrators, and hijack their accounts.
This vulnerability is mitigated by the fact that the victim
must have an account with an associated OpenID identity from
a particular set of OpenID providers (including, but not
limited to, Verisign, LiveJournal, or StackExchange).
Open redirect (Field UI module - Drupal 7 - Less critical)
The Field UI module uses a "destinations" query string parameter
in URLs to redirect users to new destinations after completing
an action on a few administration pages. Under certain
circumstances, malicious users can use this parameter to
construct a URL that will trick users into being redirected
to a 3rd party website, thereby exposing the users to potential
social engineering attacks.
This vulnerability is mitigated by the fact that only sites
with the Field UI module enabled are affected.
Drupal 6 core is not affected, but see the similar advisory
for the Drupal 6 contributed CCK module:
SA-CONTRIB-2015-126
Open redirect (Overlay module - Drupal 7 - Less critical)
The Overlay module displays administrative pages as a layer
over the current page (using JavaScript), rather than replacing
the page in the browser window. The Overlay module does not
sufficiently validate URLs prior to displaying their contents,
leading to an open redirect vulnerability.
This vulnerability is mitigated by the fact that it can only
be used against site users who have the "Access the administrative
overlay" permission, and that the Overlay module must be enabled.
Information disclosure (Render cache system - Drupal 7
- Less critical)
On sites utilizing Drupal 7's render cache system to cache
content on the site by user role, private content viewed by
user 1 may be included in the cache and exposed to non-privileged
users.
This vulnerability is mitigated by the fact that render caching
is not used in Drupal 7 core itself (it requires custom code or
the contributed Render
Cache module to enable) and that it only affects sites that
have user 1 browsing the live site. Exposure is also limited if an
administrative role has been assigned to the user 1 account (which
is done, for example, by the Standard install profile that ships
with Drupal core).