Content management systems provider Drupal released a series of patches on Wednesday to address four vulnerabilities spread between Drupal core versions 7 and 8, including two errors designated as “moderately critical.”
Among the two more serious problems is a vulnerability that could expose Drupal 7 users to social engineering schemes. According to a Drupal security advisory, under certain circumstances, malicious users can “construct a URL to a confirmation form that would trick users into being redirected to a third-party website after interacting with the form.” The other moderately critical flaw is a denial-of-service vulnerability in Drupal 8's transliterate mechanism that can be exploited with a specially crafted URL.
A “less critical” vulnerability involves the inconsistent naming of access query tags in versions 7 and 8, which can result in the disclosure of taxonomy terms to unprivileged users. Also, in Drupal 8, the user password reset form “does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page,” the advisory noted.
Drupal core users can install these patches by upgrading to Drupal core 7.52 or 8.2.3.