Several security vulnerabilities were recently identified in the Drupal core platform. The security risk is ranked as “Highly Critical” by the Drupal Team. We recommend Drupal users update their versions as soon as possible in order to mitigate the possibility of malicious attacks that take advantage of these flaws.
There are separate updates for Drupal users running both 7x, and for those still using 6x versions of Drupal. These update releases are Drupal 7.26 and Drupal 6.30, respectively.
These maintenance updates address these security flaws, including a highly critical vulnerability in the OpenID module that allows a malicious user to hijack an administrator’s account.
Another vulnerability addressed in these updates involves the Taxonomy module, where, under certain conditions, unpublished content could appear on pages tagged with a particular taxonomy term, and would be visible to users who should not have permission to see it.
It is important to note, the taxonomy module update in this releases can affect performance of sites with a very large number of unpublished nodes in a database. This issue has been reported, and Drupal says a fix will be included in the next bug release of Drupal core.
For more information on the Drupal 7.26 and 6.30 security updates, see the release announcement
here. For more information on the specific security flaws mentioned above, read the press release
here.
As always, if you have any questions or need help updating your site, contact a member of our support team and our team will be happy to help you.
Published: February 10, 2014 at 2:47 PM