FreshPorts - VuXML

Drupal Security Team reports:

1. Arbitrary PHP code execution

   A bug in the installer code was identified that allows an attacker to re-install Drupal using an external database server under certain transient conditions. This could allow the attacker to execute arbitrary PHP code on the original server.

2. Information disclosure - OpenID module

   For sites using the core OpenID module, an information disclosure vulnerability was identified that allows an attacker to read files on the local filesystem by attempting to log in to the site using a malicious OpenID server.

< 7.16

Drupal Security Team reports:

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

• Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation - Drupal 6 and 7)
• Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation - Drupal 6 and 7)
• Code execution prevention (Files directory .htaccess for Apache - Drupal 6 and 7)
• Access bypass (Security token validation - Drupal 6 and 7)
• Cross-site scripting (Image module - Drupal 7)
• Cross-site scripting (Color module - Drupal 7)
• Open redirect (Overlay module - Drupal 7)

< 6.29

< 7.24

Drupal Security Team reports:

Cross-site scripting (Various core and contributed modules)

Access bypass (Book module printer friendly version)

Access bypass (Image module)

< 6.28

< 7.19

Drupal Security Team reports:

Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load. Either of these effects may lead to the site becoming unavailable or unresponsive.

< 7.19