Drupal Security Team reports:
Multiple vulnerabilities were fixed in the supported Drupal
core versions 6 and 7.
- Multiple vulnerabilities due to optimistic cross-site
request forgery protection (Form API validation - Drupal 6
and 7)
- Multiple vulnerabilities due to weakness in pseudorandom
number generation using mt_rand() (Form API, OpenID and
random password generation - Drupal 6 and 7)
- Code execution prevention (Files directory .htaccess for
Apache - Drupal 6 and 7)
- Access bypass (Security token validation - Drupal 6 and 7)
- Cross-site scripting (Image module - Drupal 7)
- Cross-site scripting (Color module - Drupal 7)
- Open redirect (Overlay module - Drupal 7)