Dangerous vulnerability has been fixed in Drupal. The most serious issue outlined in the advisory (CVE-2015-3234) allows a malicious user to log in as other users on the site, including administrators, and hijack their accounts.
The victim must have an account in a certain OpenID-providers for a successful attack.
Vulnerabilities identified in the module OpenID, allows a potential attacker to log in as an administrator. However, for a successful attack the victim must have an account associated with the OpenID-providers (for example: Verisign, LiveJournal, StackExchange, and some other).
Three other vulnerabilities in Drupal have less risk rating is due to the fact that their use in the attack much more difficult. Nevertheless, the potential harm from the exploitation of these flaws is quite high. For example, an error in the Field UI module allows attackers under certain conditions use the «destinations» to redirect the user to an arbitrary web-site.
Drupal developers recommend to install security patches, updating CMS version to 6.36 or to 7.38.
Drupal Core – Critical – Multiple Vulnerabilities
Danger level: High
Availability of correction: Yes
The number of vulnerabilities: 4
Attack vector: Remote
Impact: Disclosure of sensitive data, Security Bypass, System Compromise, Open Redirect, Multiple vulnerabilities
Affected Products: Drupal 6.x, Drupal 7.x
Affected versions: Drupal version up to 6.36, Drupal version up to 7.38
Vulnerabilities Description:
These vulnerabilities could be used to compromise a vulnerable system.
1. [CVE-2015-3234] The flaw is the most critical of four. This vulnerability is caused due to an error related to the OpenID module. A remote user can log in from the administrative user name and take control of the account.
2. [CVE-2015-3232] This less critical vulnerability is caused due to an error related to Field UI module. This can be exploited to redirect the user to an arbitrary web-site.
3. [CVE-2015-3233] This less critical vulnerability is caused due to an error related to the Overlay module. This can be exploited to redirect the user to an arbitrary web-site.
4. [CVE-2015-3231] This less critical vulnerability is caused due to an error related to the processing of cache. This can be exploited to gain access to sensitive data.
Solution: Install the latest version from the manufacturer.
Manufacturer URL: drupal.org
Notification link: https://www.drupal.org/SA-CORE-2015-002