drupal7

• Author: Miklos Vajna
• Vulnerable: 7.7-1
• Unaffected: 7.12-1mores1

A security issue and a vulnerability have been reported in Drupal, which can be exploited by malicious people to manipulate certain data and bypass certain security restrictions.

1. The security issue is caused due to the OpenID module not properly verifying the signature of Attribute Exchange (AX) information, which can be exploited to manipulate AX information.
2. An error in the File module when using certain field access modules can be exploited to download private files which would otherwise be restricted.

• Bug Tracker URL: https://bugs.frugalware.org/ticket/4655

CVEs:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0825
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0826
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0827