The developer of Drupal, a popular open source content management system, has released versions 6.36 and 7.38 to patch numerous vulnerabilities. The releases address open redirect, information disclosure and access bypass bugs.
This critical access bypass flaw allows attackers to impersonate users and hijack their accounts and affects both Drupal 6 and 7. The vulnerability can only be exploited against users who have an OpenID account from certain providers (eg Verisign, LiveJournal and others).
Experts have also discovered two other less critical vulnerabilities in Drupal 7. One of these bugs affects the Field UI module and is related to the destinations query string parameter that is used in URLs to redirect users to a new page after completing an action on administration pages. This bug does not affect Drupal 6, but uses a similar open redirect vulnerability that involves the Content Construction Kit (CCK).
The latest version of Drupal 7 also mends an information disclosure bug related to the render cache system. Some Drupal websites use the system to cache content by user role.
Users are advised to update their installations as soon as possible.