The updates include a critical patch to Drupal 6 and 7 Core that could be exploited by hackers for a variety of purposes.
“A vulnerability was found in the OpenID module that allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts,” read the advisory.
“Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a third-party website, thereby exposing the users to potential social engineering attacks.”
Drupal is a CMS service used by big names including the White House, the Prince of Wales, Tesla Motors, Peugeot, Oxfam, British Council EAL and Amnesty International.
The remaining fixes are ranked as “less critical” and address open redirect and information disclosure bugs in Drupal 7.
“The Overlay module does not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.
“On sites using Drupal 7’s render cache system to cache content on the site by user role, private content viewed by user may be included in the cache and exposed to non-privileged users.”
The widespread use of Drupal led the US Computer Emergency Response Team to issue an advisory urging “users and administrators to review Drupal’s security advisory and apply the necessary updates”.
Drupal is one of many digital service providers to issue critical security updates in recent weeks.
Canonical released several patches earlier in June addressing flaws in the Linux kernel and OpenSSL that left Ubuntu users open to escalation of privilege and denial-of-service attacks.