Vulnerabilities have been reported in Drupal 6 and 7 core that could allow unauthorized access. Drupal is an open source content management system (CMS) written in PHP. Successful exploitation could occur if an attacker uses a specially crafted request to give a user access to another user's session, allowing an attacker to hijack a random session of the other user. This could allow the attacker to gain unauthorized access to information or services in a computer system.
Drupal core 6.x versions prior to 6.34
Drupal core 7.x versions prior to 7.34
Vulnerabilities have been discovered in the Drupal 6 and 7 core which could allow session hijacking. Specifically, the vulnerabilities are:
Due to the way certain Drupal 7 sites serve both HTTP and HTTPS content ("mixed-mode") a specially crafted request could allow unauthorized access to information or services in a computer system. Other attack vectors with this vulnerability could exist in Drupal 6 and Drupal 7 but details are unknown at this time.
Drupal 7 password hashing API could allow an attacker to send specially crafted requests resulting in CPU and memory exhaustion causing denial of service.
Update to a non-vulnerable version of Drupal core.
Remind users not to click links from unknown sources, or to click links without verifying the intended destination.
Do not open email attachments from unknown or untrusted sources
Consider implementing file extension whitelists for allowed email attachments