In a security advisory on its website
, Drupal said that one of the vulnerabilities enabled password reset URLs to be forged under certain circumstances. This would allow an attacker to gain access to another user’s account without knowing the account’s password.
Though the access bypass vulnerability could affect Drupal 6 and 7 sites, “Drupal 6 sites with empty password hashes, or a password field with a guessable string in the database, are especially prone to this vulnerability,” according to Drupal.org.
The second vulnerability allowed malicious users to construct a URL that will trick users into being redirected to a 3rd
“Drupal core and contributed modules frequently use a ‘destination’ query string parameter in URLs to redirect users to a new destination after completing an action on the current page,” Drupal’s security advisory said.
There are more than 1.1 million websites using Drupal, and version 7 is the most popular with roughly 983,000 installs, according to a report by SecurityWeek