Popular open source content management system Drupal released its new versions 6.36 and 7.38 that set a list of vulnerabilities. One of these vulnerabilities shows up to be significant as it transforms into the attacker that takes over administrator accounts.
CVE-2015-3234 in OpenID Module
The Drupal security team pointed out in an advisory that CVE-2015-3234 was found in the OpenID module. That module gives access to a malicious user to enter the site like other users, also as administrators, and hijacks their accounts. The CVE-2015-3234 flaw is conciliated by the fact that the victim must have an account with an identified OpenID status from a particular set of OpenID providers such as Verisign, LiveJournal or StackExchange.
Experts Have Also Found Three Other Less Critical Flaws in Drupal’s Versions
One of them is flaw CVE-2015-3232. It’s about websites that use the Drupal 7 Field ID module. Affected sites by this vulnerability redirect users to potentially malicious third party site after finishing off an action on administrator pages. This vulnerability does not affect Drupal 6 but uses a similar open redirect flaw that involves the Content Construction Kit (CCK).
Another flaw is CVE-2015-3233. It relates to weak validation checks in the cover module conducting to another open direct hole for websites that have enabled the ‘access the administrative overlay’ authorization that will cover pages as JavaScript.
The last vulnerability is called CVE-2015-3231 and could hide sensitive data that stays visible for a non-privileged primary user (user 1). CVE-2015-3231 is in an information detection hole in Drupal 7. It affects only sites that use the Render Cache module or identical custom code, so the risk from that hole is not so alarming. The system recognizes assigned user 1 as non-admin account and requires making different default configuration.
Drupal developer team advises users to update Drupal to versions 6.36 and 7.38.