Drupal the very popular website Content Management System (CMS) released security updates earlier this month to resolve 5 security issues within versions 6 and 7 of their product.
Cross site scripting (defined) issues were found in the Drupal.ajax() function (a set of instructions that carries out a specific action within a program) and within the autocomplete functionality of forms.
An SQL injection (defined) vulnerability was found in the SQL comment filtering system which could allow a user (once tricked/coerced by an attacker) with elevated privileges to inject malicious code in SQL comments. Such SQL code injection usually results in a user seeing information that would usually be forbidden/denied to them.
A Cross-site Request Forgery (CSRF)(defined) issue within Drupal’s form API was found to allow the upload of a file by an attacker. However this file would only have been available for 6 hours. Finally an information disclosure issue was found where the titles of nodes (add-ons which are placed within the page viewed by the user) would be visible to a user (which they would not usually have access to). The titles of the nodes would be visible on a page of the site that the user does have access to (namely that a page would contain additional information not normally visible).
Drupal users should upgrade to versions 6.37 or 7.39 (as appropriate) to resolve to these issues. Further information and steps to install the updates are available in this Drupal Security Advisory.