Open source content management system (CMS) service Drupal announced critical vulnerabilities in Drupal 6 and 7 and released patch.
More than thousands of websites are at risk of compromising important user information and administrative control of the website unless upgraded.
The advisory that announced the vulnerabilities and its fix at DRUPAL-SA-CORE-2015-002, ranks one flaw in the "OpenID" module as Critical, while three other vulnerabilities have been marked Less Critical.
What is the vulnerability?
The flaw was discovered in the OpenID module, a single-sign-on extension for Drupal, allows an attacker to log in as other users on the website. Attacker can exploit the bug to impersonate other users including administrator, gaining full control of the website and posing a serious threat to the unpatched website.
Further the advisory said that “This vulnerability is mitigated by the fact that the victim must have an account with an associated OpenID identity from a particular set of OpenID providers (including, but not limited to, Verisign, LiveJournal, or StackExchange).”
Other Less Critical vulnerabilities
Among the other three less critical vulnerabilities, two are Open redirect bugs where an attacker can trick users to visit malicious sites without their knowledge. The fourth bug is an information disclosure vulnerability that could result in malicious user being able to view cached content viewed by other users.
How can I protect my website against the vulnerability?
Drupal urges the administrators and site owners to immediately install the latest version of Drupal to ensure the safety of their websites.
Websites using Drupal core 6.x need to upgrade to 6.36 and Drupal core 7.x need to upgrade to 7.38 to safeguard their websites against potential threats and compromise.